Security headers are part of the response your server sends back to visitors – these headers tell the visitors how the server wants them to respond.
Strict Transport Security (HSTS)
This ensures that the browser can only communicate over HTTPS – eliminating any chance of an unsecured HTTP connection.
Content Security Policy (CSP)
CSP is protection against Cross-Site Scripting. Although it does not eliminate the possibility of code injection attacks, it highly increases the protection against people trying to inject malicious code into your website.
Cross-Site Scripting Protection (X-XSS)
This filter doesn’t let the page load when it detects a cross-site scripting attack. This filter is currently enabled by default in Google Chrome, Internet Explorer and Safari.
This header prevents your website from being embedded in other websites via iframes. This helps prevent Clickjacking, where a user could be fooled into being on your website. Done correctly, a visitor would think he would be on the right website but would allow a hacker to eavesdrop on the data sent back and forth.
This is known as MIME sniffing, and it could allow hackers to execute cross-site scripting attacks.
Easy to protect your website with security headers
WP Security Ninja comes with a very easy way to get your website protected with security headers – You can easily protect yourself by clicking a few checkboxes or using the getting started wizard.
A few clicks allow you to turn on each header and gives you a chance to fine-tune each setting as required.
Screenshot from the plugin interface: