Custom HTTP Headers P3P

來源網站

100% Prevent Files from being cached

This is similar to how google ads employ the header Cache-Control: private, x-gzip-ok="" to prevent caching of ads by proxies and clients.

<FilesMatch "\.(html|htm|js|css)$">
FileETag None
<IfModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</IfModule>
</FilesMatch>

Remove IE imagetoolbar

<FilesMatch "\.(html|htm)$">
<IfModule mod_headers.c>
Header set imagetoolbar "no"
</IfModule>
</FilesMatch>

Add P3P Privacy Headers to your site

Adding a P3P header to your site is a good idea, do this.

<IfModule mod_headers.c>
Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"NOI DSP COR NID CUR ADM DEV OUR BUS\""
# OR THIS, SIMPLER
Header set P3P "policyref=\"/w3c/p3p.xml\""
</IfModule>

Add a 「en-US」 language header and UTF-8 without meta tags!

Article: Setting Charset in htaccess

AddDefaultCharset UTF-8
AddLanguage en-US .html .htm .css .js

Using AddType

AddType 'text/html; charset=UTF-8' .html

Using the Files Directive

Article: Using 『Files』 in htaccess

<Files ~ "\.(htm|html|css|js)$">
AddDefaultCharset UTF-8
DefaultLanguage en-US
</Files>

Using the FilesMatch Directive

Article: Using 『FilesMatch』 in htaccess

<FilesMatch "\.(htm|html|css|js)$">
AddDefaultCharset UTF-8
DefaultLanguage en-US
</FilesMatch>

Example - This is how Yahoo has it setup even though they're not dealing with FB iframe issues presumably.

HTTP header included in all HTTP requests made using IE 6+

P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HE

Referenced P3P XML file

http://info.yahoo.com/w3c/p3p.xml which redirects to http://info.yahoo.com/privacy/w3c/p3p_policy.xml


Server Configuration - Easiest way is to setup Apache to add P3P header to all HTTP calls made from an IE browser

Add the following to your httpd.conf file within settings. More about that here http://httpd.apache.org/docs/2.0/mod/mod_headers.html

BrowserMatch MSIE IS_MSIE
Header set P3P "policyref=\"http://www.your-domain.com/w3c/p3p.xml\", CP=\"CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR UNRi OTRi BUS IND PHY ONL UNI COM NAV INT DEM CNT STA PRE GOV LOC\"" env=IS_MSIE

The value of the CP portion can be generated using IBM's tool (link above)

Hope this helps. With this setup you'll be able to set cookies and use cookie-based session management even when IE is set to use highest privacy settings (Medium are the default)