Gunnar Assmy - Fotolia


How to add HTTP security headers to various types of servers

Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager.

There are two primary server types that many sites use to respond to HTTP security requests from a browser: Microsoft...

Internet Information Services (IIS) Manager and Nginx. Let's look at some examples of adding HTTP security headers for each server type.

Some companies, such as Adobe, run their websites on Apache servers. The Apache server is an old timer; it has been around since 1996. The Nginx server emerged in 2004 as an Apache alternative. They differ in four primary areas:

  • Content type. Apache handles both static and dynamic content, while Nginx handles static content and passes dynamic requests to other software.
  • Module system. Apache's module system enables the organization to dynamically load or unload modules while the server is running. In Nginx, modules are not dynamically loadable; they must be selected and compiled in the core software.
  • Configuration files. With Nginx, there is no directory-level configuration file like Apache's .htaccess or IIS's web.config files. All configurations have to be done at the server level by an administrator, and WordPress cannot modify the configuration like it can with Apache or IIS.
  • Syntax rules. The Apache and Nginx servers do not have the same syntax rules on adding HTTP security headers to the web server's files.

With Microsoft IIS Manager 7 and beyond, the administrator can choose to edit the configuration files, run the syntax-based user interface, run appcmd.exe commands in a command-line window or write Windows Management Instrumentation (WMI) scripts on most content types. WMI scripts refer to the type of script performing the addition, like C#, ASP.NET, VB.NET, VBScript and JavaScript.

If any web server responds with the information to let the world know what software the server is running and what programming language it is using to power the software, this information must be removed or changed.

The following table lists HTTP security headers each with proper configurations for demonstration purposes:

HTTP security header types

Next, let's look at the HTTP security headers that can be added to the different server types.

Server type: Nginx

The syntax for adding response headers begins with add-header, followed by an HTTP response header and value(s) and ends with always;. For example:

add_header X-Xss-Protection "1; mode=block" always;

add_header X-Content-Type-Options "nosniff" always;

All values are enclosed within two quotes.

Server type: Apache

The syntax begins with Header always set, followed by a response header type and value(s). The syntax doesn't end with a punctuation mark.

Header always set X-Xss-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

Server type: Microsoft IIS

This Windows server's user interface takes a visual approach to configuring HTTP responses that are added to the responses from the web server.

A window of the IIS Manager starts with three panes. In the Connections pane on the left, go to the site to which you want to add custom HTTP headers. On the Home page, look for HTTP Response Headers, and then double-click it.

HTTP response headers

In the Actions pane, click Add... to display the Add Custom HTTP Response Header dialog box. The entries for the name and the value are empty.

Add custom HTTP response headers

Enter a custom header named X-XSS-Protection whose value is 1; mode=block and then click OK. 

Custom header X-XSS-Protection

The custom header is added to the list in the Features View of the Home pane. To add more custom headers, click Add... and repeat the process.

If the value(s) need to be changed, click on a custom header in the Features View, and then choose Edit... in the Actions pane. This brings up the Edit Custom HTTP Response Header dialog box where you can edit the header name and value.

Alternatively, a system administrator with proper credentials can add, edit and remove the custom headers in the configuration file with a text editor or Visual Studio Code. It is easier to handle with the text editor than entering the appcmd.exe command in two long lines in the command prompt window.


These examples show different ways HTTP security headers can be added to harden a server. The type of server depends on the organization's size, security strategy, technical skills and budget. An organization must ensure it is not giving attackers an advantage by advertising the software on which its servers are running. 

Next Steps

Learn how to analyze the flaws of Adobe's HTTP security headers

Find out the pros and cons of HTTP Strict Transport Security

Migrate from HTTP to HTTPS for more security

This was last published in November 2017

Dig Deeper on Application and platform security