Back to GD Security Headers Forum

Setting Security Headers

Published on: November 30, 2021 at 9:22 am · By: ajtruckle
Author
Topic
ajtruckle
Participant
November 30, 2021 at 9:22 am #74051

Hi

I asked my domain provider how they felt my security headers should be set up and they came back with:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy: upgrade-insecure-requests
Header set Referrer-Policy "same-origin"
Header always set Expect-CT "max-age=30, enforce"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"  
</IfModule>

At the moment, in the GD plugin it is creating the data like this:

# BEGIN GD Security Headers
<IfModule mod_headers.c>
	# add header: content-security-policy
	Header set Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ; img-src 'self' data: s.w.org ps.w.org ts.w.org secure.gravatar.com www.gravatar.com; report-uri https://www.publictalksoftware.co.uk?gdsih-csp-report;"
	# add header: x-xss-protection
	Header set X-XSS-Protection "1; mode=block; report=https://www.publictalksoftware.co.uk?gdsih-xxp-report;"
	# add header: x-content-type-options
	Header always set X-Content-Type-Options "nosniff"
	# add header: x-frame-options
	Header always set X-Frame-Options "SAMEORIGIN"
	# add header: strict-transport-security
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	# add header: referrer-policy
	Header always set Referrer-Policy "same-origin"
</IfModule>
# END GD Security Headers

It is not exactly the same. How do I adjust it through your GUI?

Viewing 1 replies (of 1 total)
Author
Replies
  • Milan Petrovic
    Keymaster
    November 30, 2021 at 9:26 am #74055

    There are so many ways to adjust the headers, and there is no ‘right’ way to do it. For many of the headers, depends on the website content. What you hosting proposed for ‘Content-Security-Policy’ is very wrong, because that header offers so many options and so many important ways to protect against all sorts of things by limiting different request types.

    In my plugin Settings, there are 4 panels to configure headers: Content Security Policy, X XSS Protection, Feature/Permissions Policy, and Security Headers. Unfortunately, Content Security Policy is useful but very complex to set up, and I can’t provide straightforward instructions how to set it up. I included blocks of predefined rules for it (and you use some of those I see already).

    Regards,
    Milan

    Dev4Press - Premium plugins for WordPress.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.

bbPress Plugins Club

bbPress Club Membership license gives access to all Dev4Press premium plugins for bbPress. While the license remains active, it will include all future Dev4Press premium plugins for bbPress too.

bbPress Club

Rating Plugin Club

Rating Club Membership license gives you access to the GD Rating System Pro plugin, all the free and premium addons for this plugin, and all future addons while the license is active.

Rating Club

Dev4Press Plugins Club

The Dev4Press Plugins Club Membership license gives access to all Dev4Press premium plugins and addons for bbPress and WordPress and all future plugins while the license is active.

Dev4Press Club

Information

From The Blog

Important

Press

On Social Networks

Development Websites

Dev4Press Projects

DebugPress Plugin
Millan Dev Blog

Wigglies Space
TiniART