HttpFixer โ†’ Fix โ†’ Headers โ†’ Apache

Fix Missing Security Headers on Apache

Last updated: April 2026

Add security headers using Apache's Header directive in .htaccess or your virtual host config.

Scan your Apache site for missing headers โ†’

Enable mod_headers

a2enmod headers
systemctl restart apache2

.htaccess โ€” all security headers

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; object-src 'none'"
</IfModule>

Virtual host config

<VirtualHost *:443>
    ServerName yoursite.com
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-Content-Type-Options "nosniff"
        Header always set Referrer-Policy "strict-origin-when-cross-origin"
    </IfModule>
</VirtualHost>

Test and reload

apachectl configtest
systemctl reload apache2
curl -sI https://yoursite.com | grep -iE "strict|x-frame|x-content|referrer|content-security"
Related: Security headers on Nginx Security headers on Cloudflare Scan your headers live โ†’
📚 HttpFixer Blog โ€” fix guides, explainers, and references โ†’