Security Headers

Table of Content

  1. Strict Transport Security (HSTS)
  2. Content Security Policy (CSP)
  3. Cross-Site Scripting Protection (X-XSS)
  4. X-Frame-Options
  5. X-Content-Type-Options
  6. Permissions-Policy

Security headers are part of the response your server sends back to visitors – these headers tell the visitors how the server wants them to respond.

Strict Transport Security (HSTS)

This ensures that the browser can only communicate over HTTPS – eliminating any chance of an unsecured HTTP connection.

Instructs your webserver to only use HTTPS and not allow HTTP insecure connections.

It is important you verify your website has a SSL certificate and it is working correctly before implementing this.

Setting up is very easy. Open your theme’s functions.php file and add the following:

header('Strict-Transport-Security: max-age=31536000;');

You can also add this to your .htaccess file

#BEGIN WP Security Ninja - Forces only HTTPS
	
	Header set Strict-Transport-Security "max-age=31536000;"
	
#END WP Security Ninja - Forces only HTTPS

You can add “includeSubDomains” if you want this to include any subdomains you might have.

For Nginx add this to the nginx.conf under server block

add_header Strict-Transport-Security "max-age=31536000;";

Further reading and test: https://hstspreload.org

Back to Top

Content Security Policy (CSP)

CSP is protection against Cross-Site Scripting. Although it does not eliminate the possibility of code injection attacks, it highly increases the protection against people trying to inject malicious code into your website.
Check if server response headers contain Content-Security-Policy’, ‘security-ninja

This limits any browser visiting your website to only load content from approved sources.

Warning

Warning: If you embed scripts from external websites, Google Analytics or other sources this could break your website functionality. Read and test before implementing.

Since each website is different, we can only give a general suggestion and strongly advise to remove the fix again if something on your website stops working.

This example forces a browser to only load JavaScript .js files from your own website. Warning: Inline code will stop working. Add this to your .htaccess file

#BEGIN WP Security Ninja - Only allow browsers to load .js files from this website
	# Use Content-Security-Policy-Report-Only to test settings before using Content-Security-Policy.
	# Once you have fixed any problems, you can change to
	# Header set Content-Security-Policy: ...
	
	
	Header set Content-Security-Policy-Report-Only: "script-src 'self'"
	
#END WP Security Ninja - Only allow browsers to load .js files from this website

For Nginx add this to the nginx.conf under server block

add_header X-Frame-Options SAMEORIGIN;

Bonus:Scott Helme is a security researcher and has written a really indepth walkthrough of Content Security Policy.Content Security Policy – An Introduction.

Info

We have removed the “X-XSS-Protection” header function from WP Security Ninja.

This decision was made based on the header’s depreciation by modern web browsers, which now incorporate more advanced built-in protections against cross-site scripting (XSS) attacks. Continuing to rely on “X-XSS-Protection” could lead to false senses of security and potential compatibility issues.

Back to Top

Cross-Site Scripting Protection (X-XSS)

This filter doesn’t let the page load when it detects a cross-site scripting attack. This filter is currently enabled by default in Google Chrome, Internet Explorer and Safari.

Back to Top

X-Frame-Options

This header prevents your website from being embedded in other websites via iframes. This helps prevent Clickjacking, where a user could be fooled into being on your website. Done correctly, a visitor would think he would be on the right website but would allow a hacker to eavesdrop on the data sent back and forth.

The X-Frame-Options response header indicates if a page is allowed to render a page in an