WordPress AWS LightSail Security Headers
HTTP Security Headers are a set of HTTP headers that provide additional security for web servers, browsers, and internet service providers. They are used to protect against various attacks, such as cross-site scripting and clickjacking.
This is a step-by-step guide on how to install Security Headers in AWS Lightsail using a WordPress instance.
How to scan for Security Headers
Navigate to Securityheaders.com and simply enter the website that you want to check. The scan will give you a full report of your security headers and also score. If your score is not good enough carry on reading this article.
Warning! Changing server settings could break your website. Always Snapshot / Backup your server files before you proceed with the configuration below.
Configuration
To make this work you’ll need SSH access and FTP File Manager.
1) Enable .HTACCESS
Note that this is not the .htaccess file that you have in your WordPress directory. We are interested in the .htaccess file under Apache2.
Using FTP File Manager navigate to the following folder and download the “wordpress-vhost.conf” file on your computer.
/opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf
Open the file in your favourite code editor and edit the following:
AllowOverride None
change to
AllowOverride All
Save the file.
Important step: Instead of re-uploading the file and overwriting the old one, you need to either remove the old one or rename it. Just in case you can rename the original file to something like “wordpress-vhost.conf_original”.
Now upload the newly modified file from your computer back to the server.
2) Enable .HTACCESS
Navigate to the “/opt/bitnami/apache/conf/vhosts/htaccess/” folder and download the “wordpress-htaccess.conf” file on your computer.
/opt/bitnami/apache/conf/vhosts/htaccess/wordpress-htaccess.conf
Open the “wordpress-htaccess.conf” file and add the following Security Headers at the bottom after the last “</Directory>” closing tag.
<Directory "/opt/bitnami/wordpress"> <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" Header set X-Content-Type-Options nosniff Header set X-DNS-Prefetch-Control "on" Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set Referrer-Policy "same-origin" Header set Content-Security-Policy "upgrade-insecure-requests;" </IfModule> </Directory>
Headers Source: https://towardsthecloud.com/hardening-wordpress-amazon-lightsail
Note that some of the settings may not work for your website setup. You can test them one by one and experiment by changing the values.
In this example, the Permission-Policy is disabling the camera, microphone and geolocation. This means that none of the JavaScript running on the page will be able to access and run these APIs. There are a lot more directives that can be controlled such as autoplay, fullscreen, geolocation and so on.
If you want to learn about each Security Header I made another article which has the explanations – Set HTTP Security Headers Apache WHM
2) Restart Apache
Open the Terminal and run the following command to restart Apache.
Tip: You can use the Terminal inside Lightsail to do that.
sudo /opt/bitnami/ctlscript.sh restart apache
That’s it. Clean your website cache and re-check your Security Headers – Securityheaders.com
I hope that this guide works for you. Let me know in the comments below if you found it helpful.
More Resources