Title: Vulnerable security header? Last modified: June 12, 2023 --- # Vulnerable security header? * Resolved [dav74](https://wordpress.org/support/users/dav74/) * (@dav74) * [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/) * Hi there, I had someone look at my security headers. There were a couple of potential issues he told me about, but I am unsure whether to believe him or you the plugin devloper. The line in question was: * ```wp-block-code Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE" ``` * I was told that the following: * “_You have enabled 2 dangerous methods i.e. **PUT **(Anyone can upload any thing on your website means hackers can hack your website) **DELETE **(Any one can submit a DELETE request on your website to delete any file on your website) “ * Can you please guide me on that remark. Should I remove the PUT and DELETE requests? * Finally I was also told this: * “_**Access-Control-Allow-Origin: **You have set null origin which is not good as it can be bypassed. Remove this unused header as it poses a security risk._“ Viewing 4 replies - 1 through 4 (of 4 total) * [catuyen](https://wordpress.org/support/users/catuyen/) * (@catuyen) * [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/#post-16826893) * I am also waiting for the answer to the questions above too. Most people vote for 5 starts because they get A+ on securityheaders.com. But _**Access-Control- Allow-Origin**_ **Null** seems not a good setting. * Thread Starter [dav74](https://wordpress.org/support/users/dav74/) * (@dav74) * [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/#post-16826939) * Hi [@catuyen](https://wordpress.org/support/users/catuyen/) * Yes I totally agree. An A+ on securityheaders.com does not necessarily mean there are no issues. It would be nice to get a reply from the plugin author. I actually removed the PUT and DELETE request. Anyhow, hopfully next week we get an answer 🙂 * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/#post-16827060) * Hi **[@dav74](https://wordpress.org/support/users/dav74/)** and **[@catuyen](https://wordpress.org/support/users/catuyen/),** thank you for raising these security concerns about our plugin **Headers Security Advanced & HSTS WP**. I would like to inform you that we have rewritten most of the code in the most recent version of the plugin, optimizing it to improve overall security. * We are working on a new setting that will allow users to further customize security settings. This will give you more control over the configurations and allow you to tailor them to your specific needs. * I would like to let you know that with tonight’s update, we have decided to remove the _Access-Control-Allow-Origin_ header to address the potential security risks associated with it. We take the security of our users seriously and feel that this is an important decision to mitigate potential problems. * We decided to remove the PUT and DELETE methods from the default configuration of the Access-Control-Allow-Methods header. * However, we understand that each site is unique and may have specific needs. We are working on providing an advanced security settings customization option in the next plugin update. We continue to work to provide you with a secure and reliable plugin. We appreciate your feedback and are always open to further suggestions to improve the security of our plugin. Thank you again for contacting us. * Thread Starter [dav74](https://wordpress.org/support/users/dav74/) * (@dav74) * [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/#post-16827071) * Hi [@unicorn03](https://wordpress.org/support/users/unicorn03/) * That’s great news and we look forward to you rollowing out the update tonight. Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Vulnerable security header?’ is closed to new replies. * ![](https://ps.w.org/headers-security-advanced-hsts-wp/assets/icon.svg?rev=3102785) * [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/) * [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq) * [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/) * [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/) * [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/) * 5 replies * 3 participants * Last reply from: [dav74](https://wordpress.org/support/users/dav74/) * Last activity: [2 years, 11 months ago](https://wordpress.org/support/topic/vulnerable-security-header/#post-16827071) * Status: resolved