HTTP Headers for Security – How to change HTTP headers in WordPress

0 0
Read Time:2 Minute, 39 Second

Do you want to set HTTP security headers in WordPress? (X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security

After last workshop about security I wanted to check how to use the knowledge in live project.

To check how it works I’ve tried to use two scenarios:

  1. https://developer.wordpress.com/docs/tutorials/add-http-headers/ – to change HTTP Headers using custom-redirects.php file
  2. https://docs.wpvip.com/infrastructure/http-headers/ – to change HTTP Headers using functions.php file

None of them worked on my side…

But finally I’ve found a plugin: https://wordpress.org/plugins/http-headers/

How to check HTTP Headers

To check important from security side HTTP Headers it’s good to use this website:

https://securityheaders.com

Website gives you information about used by domain Security Headers.

Starting point for piotr-sikora.com

Below you can see that scanning of my website looked like one big red flag.

Additionally I wanted to be sure that my headers are available so I’ve created a short Jupyter Notebook in Python:

import requests

url = "https://piotr-sikora.com"

response = requests.get(url)

# Print all headers
for header in response.headers:
    print(header, ":", response.headers[header])
    # print(header)

After running this code list of my headers:

Server : nginx
Date : Sun, 01 Sep 2024 14:39:16 GMT
Content-Type : text/html; charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
X-Powered-By : PHP/8.1.29
Link : <https://piotr-sikora.com/wp-json/>; rel="https://api.w.org/"

Check if securityheaders.com has proper HTTP Headers

The shoemaker’s son always goes barefoot so… let’s check if the website itself has all HTTP Headers set as well:

… and let’ treat it as a goal for a website.

Installation of HTTP Headers plugin and configuration

First of all I’ve installed WP Plugin:

https://wordpress.org/plugins/http-headers/

After checking the report, I began changing the appropriate headers step by step. You can see the settings in the plugin:

After that I’ve entered first link – SECURITY:

Each listed header has a set of options ready to use. To access them, click ‘Edit’ at the end of the line. For example, the X-Frame-Options header.:

X-XSS-Protection header:

Final result – Score B

After all changes possible with HTTP Headers WordPress plugin report from :

And from Jupyter Notebook script:

Server : nginx
Date : Sun, 01 Sep 2024 15:26:25 GMT
Content-Type : text/html; charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
X-Frame-Options : SAMEORIGIN
X-XSS-Protection : 1; mode=block
Strict-Transport-Security : max-age=2592000
Content-Security-Policy : default-src https:; script-src https:; style-src https:; img-src https:; connect-src https:; font-src https:; media-src https:; report-uri https:; child-src https:; form-action https:; frame-ancestors https:; object-src https:; frame-src https:; worker-src https:; manifest-src https:; navigate-to https:; prefetch-src https:; base-uri https:
Referrer-Policy : same-origin
Permissions-Policy : autoplay=()
X-Powered-By : PHP/8.1.29
Link : https://piotr-sikora.com/wp-json/; rel="https://api.w.org/"

Summary: Recommended security HTTP Headers check

X-Content-Type-Options
X-XSS-Protection
X-Frame-Options
Referrer-Policy
Permissions-Policy
Strict-Transport-Security

About Post Author

Piotr Sikora

Piotr Sikora Founder of WolePapierowe.com Co-founder of Liderazgo.pl MeetJS Kielce Committee member. JavaScript and Python enthusiast.
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *

© UiCore 2024. All Rights Reserved.