I know there are ways to set Security Headers and Cookie Attributes in PHP, but also in the Apache Virtualhost Config, for example:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
or:
Header always set X-Frame-Options "SAMEORIGIN"
But I could also do this in PHP instead, for each cookie / header in every php file.
Is there a reason to prefer one of the options above another? Doing it in Apache seems to be less work. Is there any difference regarding the security it offers / any reason to do it in PHP?
Advertisement
Answer
setting both in apache2 gives you peace of mind – even if your junior dev adds a new script or functionality and misses setting the desired cookie property or header – apache2 will have your back, proverbially speaking.
on the other hand if you move to a new hosting, or maybe different web server – you’ll have to add equivalent settings.
all in all – i’d keep anything critical in PHP to avoid unexpected surprise.