Dev4Press No Script

Security Headers

To make your website more secure for your visitors, and prevent various types of attacks, there are plenty of security headers you can configure and use. Most headers are set and forget type of deal, and they just work without investing much time to maintain them.

coreSecurity plugin supports Content Security Policy and Permissions Policy security headers, but they are more complex and require work to setup and maintain. The headers in the Security Headers feature are much simpler.

Main Settings

Method for adding headers

This is similar to other security header features, controls the way the headers are added to the website.

  • Select Method: If your server supports .HTACCESS file, that is the best method to add headers. Direct method works with any server and headers are added using PHP on every page request, and only for web pages. CSP added to .HTACCESS is served for all files coming from the server!

Headers Settings

X-Content-Type-Options

This header prevents some browsers from MIME sniffing a response away from declared content type, and it can reduce exposure to some types of attacks.

Learn more about this header at Mozilla Developer Network: X-Content-Type-Options.

X-XSS-Protection

Enable and configure browsers built in reflective XSS protection, and will set browser to block the request if the XSS is detected.

Learn more about this header at Mozilla Developer Network: X-XSS-Protection.

X-Frame-Options

Control over loading of the website inside the IFRAME. And, it has an option to set it to Deny or Same Origin only.

  • By default, SAMEORIGIN will allow loading of your website in IFRAME that originated from your website.
  • You can disable IFRAME support, or limit it to your own domain.
  • To enable IFRAME support for some domains only, use the CSP header.
  • This header can be replaced with CSP header ‘frame-src’ or ‘child-src’ directives. If you use that, you don’t need X-Frame-Options header.

Learn more about this header at Mozilla Developer Network: X-Frame-Options.

Referrer Policy

Controls how much information browser includes when it navigates away from your website.

Policy value can be control with one available option.

Learn more about this header at Mozilla Developer Network: Referrer-Policy.

Strict-Transport-Security

Strengthen secure connection implementation by forcing user agent to use HTTPS. Use it only if you have HTTPS enabled.

This header has 2 options to control maximum age of the policy, and if it should include subdomains or not.

Learn more about this header at Mozilla Developer Network: Strict-Transport-Security.

Cross Origin Embedder Policy

Control embedding of the cross-origin resources in the document. This header has an option to control how the policy is applied.

Learn more about this header at Mozilla Developer Network: Cross-Origin-Embedder-Policy.

Cross Origin Opener Policy

Ensure that top level document doesn’t share context with cross-origin documents. This header has an option to control how the policy is applied.

Learn more about this header at Mozilla Developer Network: Cross-Origin-Opener-Policy.

Cross Origin Resource Policy

Directs browser to block cross site or cross-origin requests. This header has an option to control how the policy is applied.

Learn more about this header at Mozilla Developer Network: Cross-Origin-Resource-Policy.

Rate this article
0
0
50

You are not allowed to rate this post.

Leave a Comment

0
0
0
0
0
0
0
0