5.x Security

Security

On this page we will detail some recommended security configurations for OrangeHRM Starter.

Recommended HTTP Header Configurations

This section will list out some recommended HTTP headers. You will need to add these to your Apache / NGINX configuration.

Header	Recommend	Apache	NGINX
X-Frame-Options	`DENY`	`Header set X-Frame-Options DENY`	`add_header X-FRAME-Options DENY`
X-Content-Type-Options	`nosniff`	`Header set X-Content-Type-Options nosniff`	`add_header X-Content-Type-Options nosniff`
X-XSS-Protection	`0`	`Header set X-XSS-Protection 0`	`add_header X-XSS-Protection 0`
Server	Hide this header	`ServerTokens Prod`	`server_tokens off`
X-Powered-By	Hide this header	`expose_php = Off` (in php.ini)	`proxy_hide_header X-Powered-By` or `fastcgi_hide_header X-Powered-By

You can find the reasoning for these recommendations below.

X-Frame-Options

Recommendation: DENY
Add to:
- Apache: Header set X-Frame-Options DENY
- NGINX: add_header X-Frame-Options DENY

This header is used to prevent clickjacking. It informs the browser whether a resource can be embedded in another site.

If you set "DENY", your OrangeHRM application will not be embeddable on other sites (and not even on the same site).

References

X-Content-Type-Options

Recommendation: nosniff
Add to:
- Apache: Header set X-Content-Type-Options nosniff
- NGINX: add_header X-Content-Type-Options nosniff;

This header is used to prevent content/MIME sniffing (i.e. it prevents the browser from going through the resource to guess the MIME type).

References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options

X-XSS-Protection

Recommendation: 0
Add to:
- Apache: Header set X-XSS-Protection 0
- NGINX: add_header X-XSS-Protection 0

This header should be disabled as it introduces more vulnerabilities than it prevents. You should explicitly define this as 0 rather than leaving it out.

References

X-Powered-By

Recommendation: Hide this header
Add to:
- Apache: expose_php = Off (in php.ini)
- NGINX: proxy_hide_header X-Powered-By or fastcgi_hide_header X-Powered-By

This header exposes information on the technology used by the server. You should hide it to prevent attackers from identifying your tech stack easily.

References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-powered-by

Server

Recommendation: Hide this header
Add to
- Apache: ServerTokens Prod and ServerSignature Off
- NGINX: server_tokens off (only removes the version)

This header exposes information on the server. You should hide it (or limit the information provided) to prevent attackers from identifying your server easily.

References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#server

OrangeHRM

OrangeHRM-5X

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

5.x Security

Security

Recommended HTTP Header Configurations

X-Frame-Options

X-Content-Type-Options

X-XSS-Protection

X-Powered-By

Server

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally