Skip to content

Setting Security Headers and Cookie Attributes for web server in Apache or PHP?

I know there are ways to set Security Headers and Cookie Attributes in PHP, but also in the Apache Virtualhost Config, for example:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict


Header always set X-Frame-Options "SAMEORIGIN"

But I could also do this in PHP instead, for each cookie / header in every php file.

Is there a reason to prefer one of the options above another? Doing it in Apache seems to be less work. Is there any difference regarding the security it offers / any reason to do it in PHP?



setting both in apache2 gives you peace of mind – even if your junior dev adds a new script or functionality and misses setting the desired cookie property or header – apache2 will have your back, proverbially speaking.

on the other hand if you move to a new hosting, or maybe different web server – you’ll have to add equivalent settings.

all in all – i’d keep anything critical in PHP to avoid unexpected surprise.

User contributions licensed under: CC BY-SA
5 People found this is helpful