Security headers are part of the response your server sends back to visitors – these headers tell the visitors how the server wants them to respond.
Strict Transport Security (HSTS)
This ensures that the browser can only communicate over HTTPS – eliminating any chance of an unsecured HTTP connection.
Instructs your webserver to only use HTTPS and not allow HTTP insecure connections.
It is important you verify your website has a SSL certificate and it is working correctly before implementing this.
Setting up is very easy. Open your theme’s functions.php file and add the following:
header('Strict-Transport-Security: max-age=31536000;');
You can also add this to your .htaccess file
#BEGIN WP Security Ninja - Forces only HTTPS <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000;" </IfModule> #END WP Security Ninja - Forces only HTTPS
You can add “includeSubDomains” if you want this to include any subdomains you might have.
For Nginx add this to the nginx.conf under server block
add_header Strict-Transport-Security "max-age=31536000;";
Further reading and test: https://hstspreload.org
Content Security Policy (CSP)
CSP is protection against Cross-Site Scripting. Although it does not eliminate the possibility of code injection attacks, it highly increases the protection against people trying to inject malicious code into your website.
Check if server response headers contain Content-Security-Policy’, ‘security-ninja
This limits any browser visiting your website to only load content from approved sources.
Since each website is different, we can only give a general suggestion and strongly advise to remove the fix again if something on your website stops working.
This example forces a browser to only load JavaScript .js files from your own website. Warning: Inline code will stop working. Add this to your .htaccess file
#BEGIN WP Security Ninja - Only allow browsers to load .js files from this website # Use Content-Security-Policy-Report-Only to test settings before using Content-Security-Policy. # Once you have fixed any problems, you can change to # Header set Content-Security-Policy: ... <IfModule mod_headers.c> Header set Content-Security-Policy-Report-Only: "script-src 'self'" </IfModule> #END WP Security Ninja - Only allow browsers to load .js files from this website
For Nginx add this to the nginx.conf under server block
add_header X-Frame-Options SAMEORIGIN;
Bonus:Scott Helme is a security researcher and has written a really indepth walkthrough of Content Security Policy.Content Security Policy – An Introduction.
Cross-Site Scripting Protection (X-XSS)
This filter doesn’t let the page load when it detects a cross-site scripting attack. This filter is currently enabled by default in Google Chrome, Internet Explorer and Safari.
X-Frame-Options
This header prevents your website from being embedded in other websites via iframes. This helps prevent Clickjacking, where a user could be fooled into being on your website. Done correctly, a visitor would think he would be on the right website but would allow a hacker to eavesdrop on the data sent back and forth.
The X-Frame-Options response header indicates if a page is allowed to render a page in an <iframe>, <frame> or <object>. Avoid clickjacking attacks simply by not allowing your content to be embedded on other websites.
Warning: The fix is easy, but some sites have problems with the theme customizer preview when this code is enabled.
Fixing is very easy. Open your theme’s functions.php file and add the following:
header('X-Frame-Options: SAMEORIGIN');
You can also add this to your .htaccess file
#BEGIN WP Security Ninja - Prevent page-framing and click-jacking <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule> #END WP Security Ninja - Prevent page-framing and click-jacking
You can use the following values: DENY, SAMEORIGIN or ALLOW-FROM
WARNING: If you use iframes on your website you need to be careful configuring this.
For Nginx add this to the nginx.conf under server block
add_header X-Frame-Options "SAMEORIGIN";
Read more about the different options on GeekFlare.
X-Content-Type-Options
This header is a countermeasure that prevents hackers from trying to execute malicious code as a different file type. For instance, you might have protection against uploading JavaScript .js files, but without the X-Content-Type-Options header, a hacker could execute malicious JavaScript code via an innocent-looking .txt file.
This is known as MIME sniffing, and it could allow hackers to execute cross-site scripting attacks.
Permissions-Policy
Permissions Policy is a method to control which features and APIs can be used in the browser.
This has been renamed from “Feature Policy”, but the concept stays the same. Please note the change in syntax. If you have previously set up this policy you should review and test it.
This is a way to instruct a browser which features it can use on a website.
With this you can explitly prevent access to the camera, microphone, geolocation and many other features.
For a full and updated list check out the link. Mozilla.org – Permissions Policy
header("Permissions-Policy: geolocation=(self "https://example.com"), microphone=() ");
NOTE: This example disables everything, so if you have website that uses some of the features please check the link to Mozilla on more details on how to finetune.
You can also add this to your .htaccess file
#BEGIN WP Security Ninja - Set Permissions-Policy <IfModule mod_headers.c> Header set Permissions-Policy "geolocation=(self "https://example.com"), microphone=() " </IfModule> #END WP Security Ninja - Set Permissions-Policy
For Nginx add this to the nginx.conf under server block
add_header Permissions-Policy "geolocation=(self "https://example.com"), microphone=()";
Easy to protect your website with security headers
WP Security Ninja comes with a very easy way to get your website protected with security headers – You can easily protect yourself by clicking a few checkboxes or using the getting started wizard.
A few clicks allow you to turn on each header and gives you a chance to fine-tune each setting as required.
Screenshot from the plugin interface: