Rollback specific header if breaking legacy app | Web Security Headers & HTTPS Hardening

Direct Implementation: Core mod_headers Security Directives

Deploy mandatory HTTP response headers using mod_headers to mitigate XSS, clickjacking, MIME sniffing, and protocol downgrade attacks. Configure directives at the VirtualHost level for performance and to prevent .htaccess override conflicts. Reference the broader Server & Platform Implementation Guides for cross-platform header parity and deployment standards.

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "0"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"

Security Implications:

X-Frame-Options DENY prevents iframe embedding and clickjacking.
X-Content-Type-Options blocks MIME-type sniffing attacks.
X-XSS-Protection "0" explicitly disables legacy browser filters that historically introduced XSS vulnerabilities.
Permissions-Policy restricts browser API access to authorized origins only.

Exact Configuration: VirtualHost Context & Syntax

Apply Header always set in the <VirtualHost> block to ensure headers are injected regardless of response status codes. Avoid Header set, which omits 4xx/5xx responses. If directory-level overrides are required, align with Apache .htaccess & VirtualHost Hardening to prevent duplicate header injection via Header unset or always flags.

<VirtualHost *:443>
 ServerName your-domain.com
 DocumentRoot /var/www/html

 <IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
 Header always set Cross-Origin-Opener-Policy "same-origin"
 Header always set Cross-Origin-Resource-Policy "same-origin"
 </IfModule>
</VirtualHost>

Security Implications:

HSTS enforces HTTPS and prevents SSL stripping attacks.
CSP restricts resource loading to trusted origins, mitigating injection attacks.
COOP/CORP mitigate cross-origin data leaks and Spectre-class side-channel attacks.
The always flag guarantees header injection on error pages, redirects, and proxy responses.

Diagnostic & Verification Commands

Validate header injection and syntax using curl and apachectl. Check for duplicate headers, missing always flags, and syntax errors before deployment.

apachectl configtest
apachectl graceful
curl -sI https://your-domain.com | grep -iE '(strict-transport|content-security|x-content-type|x-frame|referrer-policy|permissions-policy|cross-origin)'
apachectl -M | grep headers

Verification Steps:

Run apachectl configtest to catch syntax errors before reload.
Execute curl -sI against multiple endpoints (200, 404, 500) to verify headers persist across all status codes.
Confirm mod_headers is loaded via apachectl -M.
Inspect browser DevTools Network tab for header duplication, case-sensitivity mismatches, or override conflicts.

Edge Cases & Rollback Procedures

Handle proxy interference, CDN header stripping, and legacy browser compatibility. If headers break application functionality, implement targeted rollbacks using Header unset or conditional IfModule blocks.

# Rollback specific header if breaking legacy app
Header unset X-Frame-Options "env=LEGACY_APP"

# Conditional CSP for admin panel
<Directory /var/www/html/admin>
 Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'"
</Directory>

# CDN/Proxy override prevention
Header always set X-Proxy-Header-Conflict "resolved"

Edge Cases & Rollback Protocols:

CDN Interference: CDNs may strip or override HSTS/CSP. Configure origin-pull headers or CDN page rules to pass-through upstream headers.
Reverse Proxy Duplication: Proxies can duplicate headers. Use Header always set with merge directives or disable proxy header forwarding (ProxyPassReverse adjustments).
Legacy Browser Support: IE11 requires X-Frame-Options but ignores modern COOP/CORP. Maintain DENY alongside modern headers for backward compatibility.
Immediate Rollback: Comment out offending directives, run apachectl graceful, and verify curl output. Use configuration management (Ansible/Puppet) to revert to the last known good state.