basketbal.nl

What is this?

Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain.

Why does it matter?

Without SPF, anyone can send emails that appear to come from your domain (email spoofing). This is used in phishing attacks to impersonate your business. SPF tells receiving mail servers which IPs are legitimate senders.

How to fix it

Add a TXT record to your domain\'s DNS: Host: @ (apex domain) Value: v=spf1 include:_spf.yourmailprovider.com ~all Examples: Google Workspace: v=spf1 include:_spf.google.com ~all Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all Mailchimp: v=spf1 include:servers.mcsv.net ~all Use ~all (softfail) to start, upgrade to -all (hard fail) once you're confident all sending sources are listed. Never use +all.

What is this?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.

Why does it matter?

SPF alone is not enough — DMARC adds a policy layer that tells receiving servers what to do with suspicious emails (monitor, quarantine, or reject). It also provides reporting so you can see who is sending email as your domain.

How to fix it

Add a TXT record to your DNS: Host: _dmarc (e.g. _dmarc.yourdomain.com) Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com Start with p=none to receive reports without affecting mail delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com After analysing reports for a few weeks, upgrade to: p=quarantine → suspicious mail goes to spam p=reject → suspicious mail is blocked entirely Free DMARC report analysis: dmarcian.com, postmarkapp.com/dmarc.

What is this?

HTTPS (HyperText Transfer Protocol Secure) encrypts all communication between the visitor's browser and your server using TLS (Transport Layer Security). Without it, data is sent in plain text.

Why does it matter?

Without HTTPS, anyone on the same network (coffee shop Wi-Fi, corporate proxy) can read or modify the data being transferred — including passwords, form submissions and personal information. Google also ranks HTTPS sites higher and Chrome marks HTTP sites as "Not Secure".

How to fix it

Install a TLS certificate on your web server. Free certificates are available via Let's Encrypt (certbot.eff.org). Most hosting panels (cPanel, Plesk, Forge) have one-click SSL installation. After installing, configure your server to redirect all HTTP traffic to HTTPS.

What is this?

An SSL/TLS certificate has an expiry date. Once expired, browsers show a full-page warning to visitors and refuse to connect without clicking through a security warning.

Why does it matter?

An expired certificate breaks trust immediately — visitors see a red warning screen and most will leave. Search engines may also de-index or lower the ranking of sites with certificate errors.

How to fix it

Renew your certificate before it expires. If you use Let's Encrypt, set up auto-renewal with certbot (sudo certbot renew --dry-run to test). Most hosting providers send expiry warnings by email. Set a calendar reminder at 30 and 7 days before expiry.

What is this?

HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.

Why does it matter?

Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.

How to fix it

Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.

What is this?

Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.

Why does it matter?

CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.

How to fix it

Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.

What is this?

X-Frame-Options controls whether your website can be embedded in an <iframe>, <frame>, or <object> on another website.

Why does it matter?

Without this header, attackers can embed your site invisibly in an iframe on a malicious page and trick users into clicking buttons or links without knowing it (clickjacking). This can be used to perform actions on behalf of a logged-in user.

How to fix it

Add one of these response headers: X-Frame-Options: DENY — prevents all framing X-Frame-Options: SAMEORIGIN — allows framing only from the same domain Nginx: add_header X-Frame-Options "SAMEORIGIN" always; Apache: Header always set X-Frame-Options "SAMEORIGIN" Modern alternative: use CSP with frame-ancestors directive: Content-Security-Policy: frame-ancestors 'self';

What is this?

X-Content-Type-Options with the value "nosniff" tells browsers not to guess (sniff) the content type of a response, but to strictly use the Content-Type header the server sends.

Why does it matter?

Without this header, a browser might interpret an uploaded text file as JavaScript if it contains script-like content — a technique attackers can exploit to run malicious code even when file uploads are allowed.

How to fix it

Add this header to all responses: X-Content-Type-Options: nosniff Nginx: add_header X-Content-Type-Options "nosniff" always; Apache: Header always set X-Content-Type-Options "nosniff" Laravel: add to middleware or in .htaccess.

What is this?

The Referrer-Policy header controls how much information about the originating page is included in the Referer header when a user navigates away from your site or when resources are loaded.

Why does it matter?

Without a Referrer-Policy, the full URL of the current page (which may include session tokens, user IDs, or sensitive paths) is sent to external sites in the Referer header. This can leak private information to third-party analytics, CDN providers, or ad networks.

How to fix it

Recommended value: Referrer-Policy: strict-origin-when-cross-origin (sends origin only for cross-origin requests, full URL for same-origin) Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always; Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin" Alternatives: no-referrer (most private), same-origin (no cross-origin referrer).

What is this?

Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.

Why does it matter?

Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.

How to fix it

Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.

What is this?

Response compression (gzip or Brotli) reduces the size of HTML, CSS, JavaScript and other text-based responses before sending them over the network.

Why does it matter?

Compression typically reduces text file sizes by 60–80%. A 200 KB JavaScript file becomes ~50 KB. This directly reduces page load time, especially on slower connections, and reduces bandwidth costs.

How to fix it

Nginx: gzip on; gzip_types text/plain text/css application/javascript application/json; gzip_min_length 1000; For Brotli (better compression, requires ngx_brotli module): brotli on; brotli_types text/plain text/css application/javascript; Apache (.htaccess): AddOutputFilterByType DEFLATE text/html text/css application/javascript Cloudflare: enables compression automatically — no server config needed.