HTTP Headers for Wordpress

Posted on: May 15, 2016 by Dimitar Ivanov

Overview

HTTP Headers is a WordPress plugin who gives your control over the HTTP headers returned by your wordpress based blog or website. Helps to protect from XSS, MITM and Clickjacking attacks. Overcomes the limitations of the same-origin policy.

HTTP Headers

A list of headers supported by current version:

X-Frame-Options
Access-Control-Allow-Origin
X-XSS-Protection
Access-Control-Allow-Credentials
X-Content-Type-Options
Access-Control-Max-Age
X-UA-Compatible
Access-Control-Allow-Methods
Strict-Transport-Security
Access-Control-Allow-Headers
~~Public-Key-Pins~~
~~Public-Key-Pins-Report-Only~~
Access-Control-Expose-Headers
P3P
Referrer-Policy
Content-Security-Policy
Content-Security-Policy-Report-Only
Age
Cache-Control
Expires
Pragma
Content-Encoding
Content-Type
Vary
Connection
X-Powered-By
WWW-Authenticate
Expect-CT
Timing-Allow-Origin
X-DNS-Prefetch-Control
X-Download-Options
X-Permitted-Cross-Domain-Policies
Report-To
Feature-Policy
Clear-Site-Data
Cross-Origin-Resource-Policy

Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Ebay, Paypal, Instagram, Pinterest, Dropbox, Reddit, Netflix, Tumblr, Blogger and many more.

Installation

To install HTTP Headers plugin on your WordPress blog, follow these steps:

Download the source code of HTTP Headers for WordPress using your preferred method among:
1. SVN Checkout - for those of you who are familiar with SVN and command line, use this command:
```
$ svn co https://plugins.svn.wordpress.org/http-headers/tags/1.15.0/
```
2. File download - for those of you who likes an old-fashioned file download, click the button below: Download HTTP Headers v1.15.0
Copy the plugin's content into the /wp-content/plugins/http-headers folder.
Activate the plugin.
That's all.

Headers in action

The image below shows up how the security headers are presented in the server response:

HTTP Headers for WordPress

Sample configuration

A typical configuration for a website includes these security headers and their corresponding values:

X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=edge,chrome=1
Strict-Transport-Security: max-age: 31536000; includeSubDomains (include only if your website supports SSL)
Referrer-Policy: no-referrer-when-downgrade

If you intend to support cross-origin resource sharing, consider following:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true (include if you will support HTTP Cookies, HTTP Authentication or SSL certificates)
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: Origin
P3P: CP="CAO PSA OUR"

If you want to include the Content Security Policy you can start with this:

Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts

License

HTTP Headers for WordPress is licensed under the GPLv2 license or later.

Compatibility

HTTP Headers plugin requires WordPress 3.2 or higher and is compatible up to WordPress 5.2.2

Conclusion

Along with improving the security of your website, this plugin makes your blog a CORS-compliant. That make it a must-have addition to your WordPress site.

Subscribe to our newsletter

Join our mailing list and stay tuned! Never miss out news about Zino UI, new releases, or even blog post.

46 Comments

AMV June 10, 2016 at 08:49 am

You are updating your blog regularly but I see no activity on ZinoUI. Does that mean that it is dead

Iggy June 16, 2016 at 12:14 pm

This plugins looks very promising! But could you publish some recommended settings for a typical site?

Thanks!

Dimitar Ivanov June 16, 2016 at 12:40 pm

@AMV not at all. Recently, a new service was launched - Geomaps Editor. See https://editor.zinoui.com

Dimitar Ivanov June 16, 2016 at 12:46 pm

@Iggy great idea, definitely I will.

Alex September 19, 2016 at 03:35 am

Hey, nifty plugin, thank you! Also quite happy with the "hidden" CSP one, I enabled it for myself and the template I use with

header("Content-Security-Policy: default-src 'none' ; script-src 'self' wordpress.org s.w.org ; connect-src 'self' ; img-src 'self' 1.gravatar.com ; style-src 'self' fonts.googleapis.com fonts.gstatic.com ; font-src 'self' fonts.googleapis.com fonts.gstatic.com data: ;");

and a bunch of SHA256 hashes which took quite a while :) I'm not really sure how you would get that to work as a general setting though...

Much appreciated!

Rich September 22, 2016 at 12:41 pm

Hey, thanks for your work on this plugin. I'm having an issue where only the homepage has the header changes. Is this something you've come across?

Dimitar Ivanov September 30, 2016 at 23:10 pm

@Rich this never happened to me. You may try to deactivate the rest of plugins one by one just to see where the problem goes from.

Julie June 21, 2017 at 10:01 am

Hi, THnaks for this plugin. Is it copatible with wordpress version 4.8 ? It seem not working any more since I upgrade it ...

Thank you
Julie

Dimitar Ivanov June 22, 2017 at 14:00 pm

@Julie

yep, the plugin is compatible with WordPress 4.8
I've just tested it, works as expected.

Josep July 7, 2017 at 03:58 am

Hi. Great plugin.
I'm having, though, one issue with Access-Control-Allow-Origin. Whatever the value I set, I get two Access-Control-Allow-Origin headers, one with the actual value, and another with my localhost.

So for me is not working because only one Access-Control-Allow-Origin header is allowed

Kimie August 31, 2017 at 16:17 pm

Hi.
What an awesome plugin.
Could you add in the next update the ability to import and export setting?
Thank you.

Dimitar Ivanov September 1, 2017 at 01:24 am

@Kimie it's a good idea, thanks!

Konstantinos September 8, 2017 at 15:14 pm

Hi,

One of my favorite plugins, is GREAT .

I only recently have a problem with cache-control

I set :
cache-control must-revalidate, no-cache, no-store, max-age=0, s-maxage=0

but when inspect headers from inside the plugin or with an outside scanner they return

cache-control must-revalidate, no-cache, no-store, max-age=0, s-maxage=0, private, no-cache, no-store, proxy-revalidate, no-transform.

Thanks.

Claudia September 8, 2017 at 19:30 pm

Hi, could you please post recommended settings to cache control? Thanks

Dimitar Ivanov September 13, 2017 at 09:46 am

@Konstantinos,

It is absolutely possible sending multiple Cache-Control headers, which are combined by user-agents and displayed as a single header.

So, if this plugin is configured per your example:
Header set Cache-Control "must-revalidate, no-cache, no-store, max-age=0, s-maxage=0"

After that some other plugin sent the following:
Header append Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"

In the end, you will get:
Cache-Control: must-revalidate, no-cache, public, max-age=3600, private, no-cache, no-store, proxy-revalidate, no-transform

My advice is to review your site' .htaccess file.

Dimitar Ivanov September 13, 2017 at 10:09 am

@Claudia

In general, there are two patterns:

1. The first one is applicable for web pages with a content that never change, or at least not before the time in the max-age directive
Cache-Control: max-age=31536000

2. The second one is used by web pages with a content that is liked to change frequently
Cache-Control: no-cache, no-store, must-revalidate

Keep note that this plugin sends a Cache-Control header only for the main document.

Justin Stojkovic November 5, 2017 at 20:05 pm

Not sure if this plugin works with NGINX setup, or at least I haven't been able to see any effect. Is there a requirement or special guide for WP sites running NGINX?

Dimitar Ivanov November 6, 2017 at 12:17 pm

@Justin,

To use this plugin on Nginx web servers you can activate the PHP-mode. Although this mode does not provide the full capabilities as the Apache-mode does, you are still able to benefit from most essential features.
However, I have a plan for next release to support Nginx throughout a configuration file in the same manner as .htaccess for Apache.

Frankie November 19, 2017 at 08:46 am

In my WP dashboard, the plugin info says "Compatible up to: 4.9". The info on this page says "compatible up to WordPress 4.8.1".

Dimitar Ivanov November 19, 2017 at 08:58 am

@Frankie,

I forgot to update this blog post. It's fixed now. Thanks

Vibhi November 26, 2017 at 10:51 am

What is The best Setting for Http Cache and compression
and can You tell me how can i also show Add To Home Notification in wordpress

star collon January 4, 2018 at 09:05 am

Thanks for great plugin

How can i disable Xframe for allow on particular site
eg

if i want to show my site in iframe in other domain usually Xframe will not show the site but if i want to allow my site to be shown in example2. com

How can i achieve that

Jordi February 18, 2018 at 15:05 pm

Is this compatible with wordfence or are then any other known incompatibilities? I've installed the plugin and activated some headers but they don't show up in my .htaccess or on securityheader.io

Dimitar Ivanov February 18, 2018 at 16:57 pm

@Jordi,
The only reason for such an incompatibility may be the use of my plugin in a "PHP" mode. To change this go to the "Advanced settings" and select the "Apache" mode.

Martinbycle April 27, 2018 at 07:13 am

Hi All im noob here. Good post! Thx! Thx!

Mike Claggett July 14, 2018 at 05:51 am

I see the need for your plugin. I'm sure anybody would considering the possible exploits without having the HTTP headers configured properly.

And therein lies the rub for non-coders. A large percentage of WordPress User Wannabe/Admins choose WordPress as a Content Management System for the very reason that it doesn't require much if any coding knowledge.

While it's great your plugin is Free (BTW, I have donated), Free doesn't do us WP Admin Wannabe types much good if we have to hire an actual Apache/PHP knowledgeable coder to configure the six different control areas and make sure all settings don't cause any errors (Like contributors above refer to), or cause htaccess conflicts.

Understanding your instructions as to how to do the installation and the "SAMPLE CONFIGURATION" (Which appears to be 2 years old), doesn't seem to be applicable to your current build.

Example:
Item 5 in your Sample Configuration says:
Strict-Transport-Security: max-age: 31536000; includeSubDomains (include only if your website supports SSL).

The current build for that "Strict-Transport-Security" EDIT Screen requires a process of elimination going through the 9 options in the drop down to find the option that matches your Example: max-age: 31536000.
^^ Not Exactly User-Friendly ^^

You are certainly to be commended for all your efforts to build and offer for Free a plugin that can help make our WordPress sites more secure against HTTP Header Exploits.

Now if you could dumb-down the Sample Configuration and include a little more in the way of explanations about the settings options, I'm sure us non-coder types would be far less likely to submit yet another support request here.

Explanations regarding the settings in layman's terms most non-coders will appreciate which can't help but make your plugin more popular.

Thank you for all your apparent hard work.

Mike Claggett July 14, 2018 at 06:22 am

Another Example of no instruction as to how to configure settings options:

Content Security Policy:
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

Well, I would certainly like to "Detect and mitigate certain types of attacks" BUT there are 19 Directives with VALUE fields, that I have NO Ideal what should go in those fields.

I hope I'm not coming off as a Whiney Baby. But having a tool whose purpose is to help me, "mitigate certain types of attacks", and have no earthly idea how to configure that tool is quite frustrating.

CM September 17, 2018 at 00:29 am

Thank you Dmitri, just what I searched for, and set up was easy, thanks to your sample configuration.

I have a basic question:

In my non-WP site I had full control of the html raw code and used this in the head to stop Google and Bing from caching/translating my pages.

<meta name="robots" content="noarchive">
<meta name="google" content="no translate">

How do I use your plugin to achieve the same result? (mainly the no caching)

I'm currently using your default sample settings.

Thank you again :)

Tony Gilpin September 18, 2018 at 14:53 pm

Hi
Not if header plugin would help. I have mp4 videos , which all play on Firefox chrome , dolphin on my iPad Pro... but it does not play in safari.

Any ideas

Dimitar Ivanov September 26, 2018 at 00:18 am

@CM

For a non-standard or a less popular headers there is a "custom headers" feature, you can found it at Dashboard / Miscellaneous / Custom headers.

Then you can combine both directives like this:

Header: X-Robots-Tag
Value: noarchive, notranslate

CM September 26, 2018 at 23:11 pm

My apologies Dimitar (for calling you Dimitri!), and if my first post was unclear :)

I'm trying to stop Google and Bing etc from caching my pages and images in their index.

They are allowed to index my site, but NOT display cached pages, or index images from it, or translate the site.

Here's the code I'm currently using in my root htaccess file:

<Files ~ ".(png|jpe?g|gif)$">
Header set X-Robots-Tag "noindex"
</Files>

<Files ~ ".php$">
Header set X-Robots-Tag "noarchive, notranslate"
</Files>

Will this do what I want safely?

Thank you Dimitar.

I wrote the above before I noticed your reply here:

Q/
For a non-standard or a less popular headers there is a "custom headers" feature, you can found it at Dashboard / Miscellaneous / Custom headers.

Then you can combine both directives like this:

Header: X-Robots-Tag
Value: noarchive, no translate
/Q

Which method do you recommend I implement?

CM September 29, 2018 at 04:29 am

I deleted this from my root htaccess:

<Files ~ ".php$">
Header set X-Robots-Tag "noarchive, notranslate"
</Files>

And used your suggestion to make the header using your plugin:

Header: X-Robots-Tag
Value: noarchive, no translate

Marcelo Rizzo February 5, 2019 at 18:41 pm

Will this plugin work for preventing the server from disclosing its version?
Server: Apache/2.4

If so how?

Thanks in advance

agis_stn29 March 1, 2019 at 05:43 am

Thanks for an explanation, I too consider, that the easier, the better …

David Flanagan April 11, 2019 at 05:29 am

Hi Dimitar,

Thanks for the great plugin. One question though, is the plugin compatible on wordpress multisite? If so, can I enable it site by site or do I have to network enable it?

Thanks again,
David

Aman Kumar June 3, 2019 at 01:15 am

how to remove x-powered header

Dimitar Ivanov June 4, 2019 at 14:24 pm

To remove the X-Powered-By header go to Dashboard > Miscellaneous > X-Powered-By. Then turn it ON and choose the 'Unset' option.

John July 26, 2019 at 04:15 am

HI

Thanks for the great plugin.

I have the content security policy set up and have been using csp validation sites in order to get feedback on what I need to do to get the policy right.

object-src and base-uri show up as being correct but for script-src it suggests I use strict dynamic combined with either nonce or hash

I can see there is an option in the script-src section for strict dynamic but there aren't any options for nonce or hash

Could you please let me know how to use nonce and hash?

Thank you

Best regards

John

Dimitar Ivanov July 28, 2019 at 03:10 am

@John

Why not just mark the "strict-dynamic" checkbox, and use the text box below to enter a nonce like this:

'nonce-R9Li1vVh76uPF7EJke+HkA=='

This will results in the following header:

Header set Content-Security-Policy "script-src 'strict-dynamic' 'nonce-R9Li1vVh76uPF7EJke+HkA=='"

Then load your scripts like this:
<script nonce="R9Li1vVh76uPF7EJke+HkA==" src="color.js">

Adbotjerie August 6, 2019 at 18:47 pm

What's up, I log on to your blog on a regular basis. Your story-telling style is awesome, keep doing what you're doing!

Many thanks. Plenty of info.
adbot

Turisno_Dal August 10, 2019 at 03:32 am

Before you add HTTP security headers in your WordPress site, make sure you have an SSL certificate installed or else your site wouldn’t be accessible.

Josh September 19, 2019 at 11:06 am

After setting headers and doing an inspection, the some of the headers I've added appear in the response headers and others appear in the Missing headers section. I'm running NGINX and have the headers sent via PHP option selected. Could the use of a cache and CDN interfere with the headers being sent?

Dimitar Ivanov September 19, 2019 at 12:36 pm

@Josh

Please note that not every header works in PHP mode. Other main drawback of the PHP mode is that doesn't works with cache plugins. That's why you should avoid PHP mode when possible.

However, I plan to support nginx from next major version.

Josh M September 19, 2019 at 16:30 pm

Ok, thank you. Looking forward to that update!

Billy October 2, 2019 at 00:31 am

I have Cache enabler and Autoptilize plugins installed, I just installed HTTP Headers to set security headers up, but I wanted to do this through .htaccess but it is only working with PHP mode, do you know why I cannot use Apache?

Thank you

Billy October 2, 2019 at 00:35 am

Sorry I forgot, the problem is also that it is working when I am on the advanced setting tab and just selected PHP, but once I leave this settings are no longer working.

Comments are closed

Categories