Security Headers

Security headers are part of the response your server sends back to visitors – these headers tell the visitors how the server wants them to respond.

Strict Transport Security (HSTS)

This ensures that the browser can only communicate over HTTPS – eliminating any chance of an unsecured HTTP connection.

Instructs your webserver to only use HTTPS and not allow HTTP insecure connections.

It is important you verify your website has a SSL certificate and it is working correctly before implementing this.

Setting up is very easy. Open your theme’s functions.php file and add the following:

header('Strict-Transport-Security: max-age=31536000;');

You can also add this to your .htaccess file

#BEGIN WP Security Ninja - Forces only HTTPS
	<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000;"
	</IfModule>
#END WP Security Ninja - Forces only HTTPS

You can add “includeSubDomains” if you want this to include any subdomains you might have.

For Nginx add this to the nginx.conf under server block

add_header Strict-Transport-Security "max-age=31536000;";

Further reading and test: https://hstspreload.org

Content Security Policy (CSP)

CSP is protection against Cross-Site Scripting. Although it does not eliminate the possibility of code injection attacks, it highly increases the protection against people trying to inject malicious code into your website.
Check if server response headers contain Content-Security-Policy’, ‘security-ninja

This limits any browser visiting your website to only load content from approved sources.

Warning

Warning: If you embed scripts from external websites, Google Analytics or other sources this could break your website functionality. Read and test before implementing.

Since each website is different, we can only give a general suggestion and strongly advise to remove the fix again if something on your website stops working.

This example forces a browser to only load JavaScript .js files from your own website. Warning: Inline code will stop working. Add this to your .htaccess file

#BEGIN WP Security Ninja - Only allow browsers to load .js files from this website
	# Use Content-Security-Policy-Report-Only to test settings before using Content-Security-Policy.
	# Once you have fixed any problems, you can change to
	# Header set Content-Security-Policy: ...
	
	<IfModule mod_headers.c>
	Header set Content-Security-Policy-Report-Only: "script-src 'self'"
	</IfModule>
#END WP Security Ninja - Only allow browsers to load .js files from this website

For Nginx add this to the nginx.conf under server block

add_header X-Frame-Options SAMEORIGIN;

Bonus:Scott Helme is a security researcher and has written a really indepth walkthrough of Content Security Policy.Content Security Policy – An Introduction.

Cross-Site Scripting Protection (X-XSS)

This filter doesn’t let the page load when it detects a cross-site scripting attack. This filter is currently enabled by default in Google Chrome, Internet Explorer and Safari.

X-Frame-Options

This header prevents your website from being embedded in other websites via iframes. This helps prevent Clickjacking, where a user could be fooled into being on your website. Done correctly, a visitor would think he would be on the right website but would allow a hacker to eavesdrop on the data sent back and forth.

The X-Frame-Options response header indicates if a page is allowed to render a page in an <iframe>, <frame> or <object>. Avoid clickjacking attacks simply by not allowing your content to be embedded on other websites.

Warning: The fix is easy, but some sites have problems with the theme customizer preview when this code is enabled.

Fixing is very easy. Open your theme’s functions.php file and add the following:

header('X-Frame-Options: SAMEORIGIN');

You can also add this to your .htaccess file

#BEGIN WP Security Ninja - Prevent page-framing and click-jacking
	<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
	</IfModule>
#END WP Security Ninja - Prevent page-framing and click-jacking

You can use the following values: DENY, SAMEORIGIN or ALLOW-FROM

WARNING: If you use iframes on your website you need to be careful configuring this.

For Nginx add this to the nginx.conf under server block

add_header X-Frame-Options "SAMEORIGIN";

Read more about the different options on GeekFlare.

X-Content-Type-Options

This header is a countermeasure that prevents hackers from trying to execute malicious code as a different file type. For instance, you might have protection against uploading JavaScript .js files, but without the X-Content-Type-Options header, a hacker could execute malicious JavaScript code via an innocent-looking .txt file.

This is known as MIME sniffing, and it could allow hackers to execute cross-site scripting attacks.

Permissions-Policy

Permissions Policy is a method to control which features and APIs can be used in the browser.

This has been renamed from “Feature Policy”, but the concept stays the same. Please note the change in syntax. If you have previously set up this policy you should review and test it.

This is a way to instruct a browser which features it can use on a website.

With this you can explitly prevent access to the camera, microphone, geolocation and many other features.

For a full and updated list check out the link. Mozilla.org – Permissions Policy

header("Permissions-Policy: geolocation=(self "https://example.com"), microphone=() ");

NOTE: This example disables everything, so if you have website that uses some of the features please check the link to Mozilla on more details on how to finetune.

You can also add this to your .htaccess file

	#BEGIN WP Security Ninja - Set Permissions-Policy
	<IfModule mod_headers.c>
	Header set Permissions-Policy "geolocation=(self "https://example.com"), microphone=() "
	</IfModule>
	#END WP Security Ninja - Set Permissions-Policy

For Nginx add this to the nginx.conf under server block

add_header Permissions-Policy "geolocation=(self "https://example.com"), microphone=()";

Easy to protect your website with security headers
WP Security Ninja comes with a very easy way to get your website protected with security headers – You can easily protect yourself by clicking a few checkboxes or using the getting started wizard.

A few clicks allow you to turn on each header and gives you a chance to fine-tune each setting as required.

Warning
Some of these security headers can prevent your website from functioning properly if not configured correctly. For instance, Content-Security-Policy can prevent Google Analytics tracking from loading.

Screenshot from the plugin interface:

Security Headers - default settings

Security Headers – default settings

Was this helpful?

Next Article

Secure Cookies