Categories

HTTP Headers for Wordpress

Posted on: May 15, 2016 by Dimitar Ivanov

Overview

HTTP Headers is a WordPress plugin who gives your control over the HTTP headers returned by your wordpress based blog or website. Helps to protect from XSS, MITM and Clickjacking attacks. Overcomes the limitations of the same-origin policy.

HTTP Headers

A list of headers supported by current version:

  • X-Frame-Options
  • Access-Control-Allow-Origin
  • X-XSS-Protection
  • Access-Control-Allow-Credentials
  • X-Content-Type-Options
  • Access-Control-Max-Age
  • X-UA-Compatible
  • Access-Control-Allow-Methods
  • Strict-Transport-Security
  • Access-Control-Allow-Headers
  • Public-Key-Pins
  • Access-Control-Expose-Headers
  • P3P
Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Ebay, Paypal, Instagram, Pinterest, Dropbox, Reddit, Netflix, Tumblr, Blogger and many more.

Installation

To install HTTP Headers plugin on your WordPress blog, follow these steps:

  1. Download the source code of HTTP Headers for WordPress using your preferred method among:
    1. SVN Checkout - for those of you who are familiar with SVN and command line, use this command:
      $ svn co https://plugins.svn.wordpress.org/http-headers/tags/1.1.0/
      
    2. File download - for those of you who likes an old-fashioned file download, click the button below: Download HTTP Headers v1.1
  2. Copy the plugin's content into the /wp-content/plugins/http-headers folder.
  3. Activate the plugin.
  4. That's all.
Headers in action

The image below shows up how the security headers are presented in the server response:

HTTP Headers for WordPress

Sample configuration

A typical configuration for a website includes these security headers and their corresponding values:

  • X-Frame-Options: deny
  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • X-UA-Compatible: IE=edge,chrome=1
  • Strict-Transport-Security: max-age: 31536000; includeSubDomains (include only if your website supports SSL)

If you intend to support cross-origin resource sharing, consider following:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Credentials: true (include if you will support HTTP Cookies, HTTP Authentication or SSL certificates)
  • Access-Control-Allow-Methods: POST, GET, OPTIONS
  • Access-Control-Allow-Headers: Origin
  • P3P: CP="CAO PSA OUR"

License

HTTP Headers for WordPress is licensed under the GPLv2 license or later.

Compatibility

HTTP Headers plugin requires WordPress 3.2 or higher and is compatible up to WordPress 4.7.2.

Conclusion

Along with improving the security of your website, this plugin makes your blog a CORS-compliant. That make it a must-have addition to your WordPress site.

See also
Share this post

If you have any question about the HTTP Headers for WordPress, leave a comment below. And do not be shy to share this article. Thanks so much for reading!


7 Comments

AMV
You are updating your blog regularly but I see no activity on ZinoUI. Does that mean that it is dead
Iggy
This plugins looks very promising! But could you publish some recommended settings for a typical site?

Thanks!
Dimitar Ivanov
Dimitar Ivanov June 16, 2016 at 12:40 pm
@AMV not at all. Recently, a new service was launched - Geomaps Editor. See https://editor.zinoui.com
Dimitar Ivanov
Dimitar Ivanov June 16, 2016 at 12:46 pm
@Iggy great idea, definitely I will.
Alex
Hey, nifty plugin, thank you! Also quite happy with the "hidden" CSP one, I enabled it for myself and the template I use with

header("Content-Security-Policy: default-src 'none' ; script-src 'self' wordpress.org s.w.org ; connect-src 'self' ; img-src 'self' 1.gravatar.com ; style-src 'self' fonts.googleapis.com fonts.gstatic.com ; font-src 'self' fonts.googleapis.com fonts.gstatic.com data: ;");

and a bunch of SHA256 hashes which took quite a while :) I'm not really sure how you would get that to work as a general setting though...

Much appreciated!
Rich
Hey, thanks for your work on this plugin. I'm having an issue where only the homepage has the header changes. Is this something you've come across?
Dimitar Ivanov
@Rich this never happened to me. You may try to deactivate the rest of plugins one by one just to see where the problem goes from.

Leave a comment

Captcha