Security headers

  • Resolved Flint

    (@flintstoned)


    1 year, 9 months ago

    Dear WF agent,

    Does this plugin adds security headers like Content-Security-Policy Permissions-Policy Referrer-Policy Strict-Transport-Security X-Content-Type-Options X-Frame-Options ?

    Or is it on the roadmap?

    Looking forward to your reply.

Viewing 2 replies - 1 through 2 (of 2 total)
  • generosus

    (@generosus)

    1 year, 9 months ago

    Hey @flintstoned,

    The answer is No. A simple web search reveals you can add security headers to your website via your .htaccess file. As a courtesy, you can add the following to your .htaccess file for maximum protection:

    [Warning: Some of the”Header set” policies provided below could break your site. Proceed with caution.]

    # BEGIN Add Extra Security Headers (Enforce HSTS, Protect Against XSS Attacks, Page-Framing, Content-Sniffing, Referrer-Policy, Permissions-Policy) 
    <IfModule mod_headers.c>
    # Note: Feature-Policy replaced by Permissions-Policy
    # Note: Do not use Expect-CT (deprecated)
    	Header set Cross-Origin-Opener-Policy "same-origin-allow-popups"
    	Header set Cross-Origin-Embedder-Policy "unsafe-none"
    	Header set Cross-Origin-Resource-Policy "cross-origin"
    	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    	Header set X-XSS-Protection "1, mode=block"
    	Header set X-Frame-Options "sameorigin"
    	Header set X-Content-Type-Options "nosniff"
    	Header set Referrer-Policy "strict-origin-when-cross-origin"
    	Header set Permissions-Policy "camera=(self), microphone=(self), geolocation=*, usb=(self)"
    	Header set X-Permitted-Cross-Domain-Policies "master-only"
    	Header set Content-Security-Policy "img-src * 'self' data: https:; base-uri 'none'; object-src 'none'; upgrade-insecure-requests;" 
    	Header set Public-Key-Pins "pin-sha256=\"base64+primary==\", max-age=5184000, includeSubDomains"
    </IfModule>
    # END Add Extra Security Headers (Enforce HSTS, Protect Against XSS Attacks, Page-Framing, Content-Sniffing, Referrer-Policy, Permissions-Policy)

    Best wishes!

    Plugin Support wfpeter

    (@wfpeter)

    1 year, 9 months ago

    Hi @flintstoned,

    When adding your own headers, including implementing a Content Security Policy, there are some things to consider. Some can be added through HTML, although there may be plugins that offer to handle these for you on WordPress or you can consider .htaccess like Generosus mentioned above.

    X-Content-Type-Options and X-Frame-Options should be fine to use from our experience.

    Strict-Transport-Security can be fine to implement, but understanding the risks and being certain everything on the site is already using HTTPS is key: https://www.netsparker.com/blog/web-security/http-strict-transport-security-hsts/

    Content-Security-Policy can be hard to get right currently without something going wrong in WordPress or a plugin/theme. With some scripts coming from CDNs or other plugins having reasons to include scripts hosted on third-party domains, it may be difficult to impose forced blocks on these and still maintain full functionality on your site.

    You can look into the details of these headers, the options available to you and the reasons behind each one at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

    Thanks,
    Peter.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security headers’ is closed to new replies.