There are some simple security related HTTP headers that every PHP application should set.
If you are using Apache to send the headers, you will need to install and enable the headers module. On Debian and Ubuntu this can be achieved with:
a2enmod headers
systemctl apache2 restartX-Frame-Options
This header existed before Content Security Policies (CSP) were available. However, it is still useful to set this header in case it is used by older clients. It instructs the browser not to render a page from one site within another site, using any of the following elements:
<frame>
<iframe>
<embed>
<object>There is no reason to embed one page within another now, and there are other elements available for specialist purposes, e.g. <video>.
Header:
X-Frame-Options: DENY.htaccess or Apache virtual host:
Header always set X-Frame-Options: "DENY"X-Content-Type-Options
This header instructs the browser to use the MIME type in the Content-Type header and not try to guess it based on other information. It should always be set, because every request has two possibilities:
Content-Type header is correct: There is no need for the browser to guess the MIME type.
Content-Type header is incorrect: The Content-Type header should be fixed.
As well as the possibility of the browser’s guess being incorrect, MIME sniffing is also a potential security risk.
Header:
X-Content-Type-Options: nosniff.htaccess or Apache virtual host:
Header always set X-Content-Type-Options: "nosniff"