Apache Security Headers Generator

Name: VAPT Experts Security Headers Scanner
Author: VAPT Experts

Generate production-ready Apache security header configurations for both .htaccess files and VirtualHost blocks. Includes mod_headers directives for all recommended security headers and instructions for removing server version disclosure.

✓Free to use✓No registration required✓No scan history stored✓Browser-first analysis✓PDF report export✓Copy-paste fixes

What is ?

Apache HTTP Server uses mod_headers to add, modify, or remove HTTP response headers. Security headers can be configured either in .htaccess files (for per-directory configuration) or in VirtualHost blocks in the main Apache configuration. Both approaches are covered here with tested, production-ready configuration snippets.

Why It Matters

Apache is the most widely deployed web server globally, powering a large share of cPanel-based hosting environments. Default Apache installations disclose the server version, OS, and installed modules. Without mod_headers security configuration, Apache sites are missing multiple layers of browser-enforced security. Shared hosting environments make .htaccess the primary method for implementing security headers.

Common Configuration Mistakes

✗Not having mod_headers enabled (check with: apache2ctl -M | grep headers)
✗Using Header set instead of Header always set — error responses won't include the header
✗Not adding ServerTokens Prod and ServerSignature Off to hide Apache version
✗Placing .htaccess directives in the wrong location (before or after WordPress rules)
✗Not testing with curl -I https://yourdomain.com after changes
✗Forgetting to restart Apache after modifying the main config (sudo systemctl restart apache2)

Recommended Configuration

# .htaccess
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header unset X-Powered-By
</IfModule>
ServerTokens Prod
ServerSignature Off

Get platform-specific configs in the Fix Generator

Frequently Asked Questions

How do I enable mod_headers in Apache?

On Debian/Ubuntu: sudo a2enmod headers && sudo systemctl restart apache2. On CentOS/RHEL: mod_headers is usually enabled by default. Check with: apache2ctl -M | grep headers

Can I add security headers via .htaccess on shared hosting?

Yes, if your host allows AllowOverride All or at least FileInfo. Most cPanel hosts enable this. Test by adding a single header and checking with curl -I. If the header appears, .htaccess overrides are working.

What is the difference between Header set and Header always set?

"Header set" only adds headers to 2xx responses. "Header always set" adds them to all responses including 3xx, 4xx, and 5xx. Always use "Header always set" for security headers.

Related Tools & Guides

Nginx Security Headers Generator IIS Security Headers Generator Security Headers Checker Fix Generator

Need Professional Web Application Security Testing?

This scanner checks visible headers. VAPT Experts provides professional web application penetration testing, API security testing, and compliance-ready security reports.

Request VAPT Assessment