Back to GD Security Headers Forum

Setting Security Headers

Published on: November 30, 2021 at 9:22 am · By: ajtruckle
Author
Topic
#74051

Hi

I asked my domain provider how they felt my security headers should be set up and they came back with:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy: upgrade-insecure-requests
Header set Referrer-Policy "same-origin"
Header always set Expect-CT "max-age=30, enforce"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"  
</IfModule>

At the moment, in the GD plugin it is creating the data like this:

# BEGIN GD Security Headers
<IfModule mod_headers.c>
	# add header: content-security-policy
	Header set Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ; img-src 'self' data: s.w.org ps.w.org ts.w.org secure.gravatar.com www.gravatar.com; report-uri https://www.publictalksoftware.co.uk?gdsih-csp-report;"
	# add header: x-xss-protection
	Header set X-XSS-Protection "1; mode=block; report=https://www.publictalksoftware.co.uk?gdsih-xxp-report;"
	# add header: x-content-type-options
	Header always set X-Content-Type-Options "nosniff"
	# add header: x-frame-options
	Header always set X-Frame-Options "SAMEORIGIN"
	# add header: strict-transport-security
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	# add header: referrer-policy
	Header always set Referrer-Policy "same-origin"
</IfModule>
# END GD Security Headers

It is not exactly the same. How do I adjust it through your GUI?

Topic Information
General Question
7.4
5.7
1.5
Viewing 1 replies (of 1 total)
Author
Replies
  • #74055

    There are so many ways to adjust the headers, and there is no ‘right’ way to do it. For many of the headers, depends on the website content. What you hosting proposed for ‘Content-Security-Policy’ is very wrong, because that header offers so many options and so many important ways to protect against all sorts of things by limiting different request types.

    In my plugin Settings, there are 4 panels to configure headers: Content Security Policy, X XSS Protection, Feature/Permissions Policy, and Security Headers. Unfortunately, Content Security Policy is useful but very complex to set up, and I can’t provide straightforward instructions how to set it up. I included blocks of predefined rules for it (and you use some of those I see already).

    Regards,
    Milan

    Dev4Press - Premium plugins for WordPress.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.