Categories

Geo Maps Live Editor

HTTP Headers for Wordpress

Posted on: May 15, 2016 by Dimitar Ivanov

Overview

HTTP Headers is a WordPress plugin who gives your control over the HTTP headers returned by your wordpress based blog or website. Helps to protect from XSS, MITM and Clickjacking attacks. Overcomes the limitations of the same-origin policy.

HTTP Headers

A list of headers supported by current version:

  • X-Frame-Options
  • Access-Control-Allow-Origin
  • X-XSS-Protection
  • Access-Control-Allow-Credentials
  • X-Content-Type-Options
  • Access-Control-Max-Age
  • X-UA-Compatible
  • Access-Control-Allow-Methods
  • Strict-Transport-Security
  • Access-Control-Allow-Headers
  • Public-Key-Pins
  • Public-Key-Pins-Report-Only
  • Access-Control-Expose-Headers
  • P3P
  • Referrer-Policy
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Age
  • Cache-Control
  • Expires
  • Pragma
  • Content-Encoding
  • Vary
  • Connection
  • X-Powered-By
  • WWW-Authenticate
  • Expect-CT
  • Timing-Allow-Origin
  • X-DNS-Prefetch-Control
  • X-Download-Options
  • X-Permitted-Cross-Domain-Policies
  • Report-To
Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Ebay, Paypal, Instagram, Pinterest, Dropbox, Reddit, Netflix, Tumblr, Blogger and many more.

Installation

To install HTTP Headers plugin on your WordPress blog, follow these steps:

  1. Download the source code of HTTP Headers for WordPress using your preferred method among:
    1. SVN Checkout - for those of you who are familiar with SVN and command line, use this command: 
      $ svn co https://plugins.svn.wordpress.org/http-headers/tags/1.9.2/
    2. File download - for those of you who likes an old-fashioned file download, click the button below: Download HTTP Headers v1.9.2
  2. Copy the plugin's content into the /wp-content/plugins/http-headers folder.
  3. Activate the plugin.
  4. That's all.
Headers in action

The image below shows up how the security headers are presented in the server response:

HTTP Headers for WordPress

Sample configuration

A typical configuration for a website includes these security headers and their corresponding values:

  • X-Frame-Options: deny
  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • X-UA-Compatible: IE=edge,chrome=1
  • Strict-Transport-Security: max-age: 31536000; includeSubDomains (include only if your website supports SSL)
  • Referrer-Policy: no-referrer-when-downgrade

If you intend to support cross-origin resource sharing, consider following:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Credentials: true (include if you will support HTTP Cookies, HTTP Authentication or SSL certificates)
  • Access-Control-Allow-Methods: POST, GET, OPTIONS
  • Access-Control-Allow-Headers: Origin
  • P3P: CP="CAO PSA OUR"

License

HTTP Headers for WordPress is licensed under the GPLv2 license or later.

Compatibility

HTTP Headers plugin requires WordPress 3.2 or higher and is compatible up to WordPress 4.9.1.

Conclusion

Along with improving the security of your website, this plugin makes your blog a CORS-compliant. That make it a must-have addition to your WordPress site.

See also
Share this post

If you have any question about the HTTP Headers for WordPress, leave a comment below. And do not be shy to share this article. Thanks so much for reading!


24 Comments

AMV
AMV June 10, 2016 at 08:49 am
You are updating your blog regularly but I see no activity on ZinoUI. Does that mean that it is dead
Iggy
Iggy June 16, 2016 at 12:14 pm
This plugins looks very promising! But could you publish some recommended settings for a typical site?

Thanks!
Dimitar Ivanov
Dimitar Ivanov June 16, 2016 at 12:40 pm
@AMV not at all. Recently, a new service was launched - Geomaps Editor. See https://editor.zinoui.com
Dimitar Ivanov
Dimitar Ivanov June 16, 2016 at 12:46 pm
@Iggy great idea, definitely I will.
Alex
Alex September 19, 2016 at 03:35 am
Hey, nifty plugin, thank you! Also quite happy with the "hidden" CSP one, I enabled it for myself and the template I use with

header("Content-Security-Policy: default-src 'none' ; script-src 'self' wordpress.org s.w.org ; connect-src 'self' ; img-src 'self' 1.gravatar.com ; style-src 'self' fonts.googleapis.com fonts.gstatic.com ; font-src 'self' fonts.googleapis.com fonts.gstatic.com data: ;");

and a bunch of SHA256 hashes which took quite a while :) I'm not really sure how you would get that to work as a general setting though...

Much appreciated!
Rich
Rich September 22, 2016 at 12:41 pm
Hey, thanks for your work on this plugin. I'm having an issue where only the homepage has the header changes. Is this something you've come across?
Dimitar Ivanov
Dimitar Ivanov September 30, 2016 at 23:10 pm
@Rich this never happened to me. You may try to deactivate the rest of plugins one by one just to see where the problem goes from.
Julie
Julie June 21, 2017 at 10:01 am
Hi, THnaks for this plugin. Is it copatible with wordpress version 4.8 ? It seem not working any more since I upgrade it ...

Thank you
Julie
Dimitar Ivanov
Dimitar Ivanov June 22, 2017 at 14:00 pm
@Julie

yep, the plugin is compatible with WordPress 4.8
I've just tested it, works as expected.
Josep
Josep July 7, 2017 at 03:58 am
Hi. Great plugin.
I'm having, though, one issue with Access-Control-Allow-Origin. Whatever the value I set, I get two Access-Control-Allow-Origin headers, one with the actual value, and another with my localhost.

So for me is not working because only one Access-Control-Allow-Origin header is allowed
Kimie
Kimie August 31, 2017 at 16:17 pm
Hi.
What an awesome plugin.
Could you add in the next update the ability to import and export setting?
Thank you.
Dimitar Ivanov
Dimitar Ivanov September 1, 2017 at 01:24 am
@Kimie it's a good idea, thanks!
Konstantinos
Konstantinos September 8, 2017 at 15:14 pm
Hi,

One of my favorite plugins, is GREAT .

I only recently have a problem with cache-control

I set :
cache-control must-revalidate, no-cache, no-store, max-age=0, s-maxage=0

but when inspect headers from inside the plugin or with an outside scanner they return

cache-control must-revalidate, no-cache, no-store, max-age=0, s-maxage=0, private, no-cache, no-store, proxy-revalidate, no-transform.

Thanks.
Claudia
Claudia September 8, 2017 at 19:30 pm
Hi, could you please post recommended settings to cache control? Thanks
Dimitar Ivanov
Dimitar Ivanov September 13, 2017 at 09:46 am
@Konstantinos,

It is absolutely possible sending multiple Cache-Control headers, which are combined by user-agents and displayed as a single header.

So, if this plugin is configured per your example:
Header set Cache-Control "must-revalidate, no-cache, no-store, max-age=0, s-maxage=0"

After that some other plugin sent the following:
Header append Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"

In the end, you will get:
Cache-Control: must-revalidate, no-cache, public, max-age=3600, private, no-cache, no-store, proxy-revalidate, no-transform

My advice is to review your site' .htaccess file.
Dimitar Ivanov
Dimitar Ivanov September 13, 2017 at 10:09 am
@Claudia

In general, there are two patterns:

1. The first one is applicable for web pages with a content that never change, or at least not before the time in the max-age directive
Cache-Control: max-age=31536000

2. The second one is used by web pages with a content that is liked to change frequently
Cache-Control: no-cache, no-store, must-revalidate

Keep note that this plugin sends a Cache-Control header only for the main document.
Justin Stojkovic
Justin Stojkovic November 5, 2017 at 20:05 pm
Not sure if this plugin works with NGINX setup, or at least I haven't been able to see any effect. Is there a requirement or special guide for WP sites running NGINX?
Dimitar Ivanov
Dimitar Ivanov November 6, 2017 at 12:17 pm
@Justin,

To use this plugin on Nginx web servers you can activate the PHP-mode. Although this mode does not provide the full capabilities as the Apache-mode does, you are still able to benefit from most essential features.
However, I have a plan for next release to support Nginx throughout a configuration file in the same manner as .htaccess for Apache.
Frankie
Frankie November 19, 2017 at 08:46 am
In my WP dashboard, the plugin info says "Compatible up to: 4.9". The info on this page says "compatible up to WordPress 4.8.1".
Dimitar Ivanov
Dimitar Ivanov November 19, 2017 at 08:58 am
@Frankie,

I forgot to update this blog post. It's fixed now. Thanks
Vibhi
Vibhi November 26, 2017 at 10:51 am
What is The best Setting for Http Cache and compression
and can You tell me how can i also show Add To Home Notification in wordpress
star collon
star collon January 4, 2018 at 09:05 am
Thanks for great plugin

How can i disable Xframe for allow on particular site
eg

if i want to show my site in iframe in other domain usually Xframe will not show the site but if i want to allow my site to be shown in example2. com

How can i achieve that
Jordi
Jordi February 18, 2018 at 15:05 pm
Is this compatible with wordfence or are then any other known incompatibilities? I've installed the plugin and activated some headers but they don't show up in my .htaccess or on securityheader.io
Dimitar Ivanov
Dimitar Ivanov February 18, 2018 at 16:57 pm
@Jordi,
The only reason for such an incompatibility may be the use of my plugin in a "PHP" mode. To change this go to the "Advanced settings" and select the "Apache" mode.

Leave a comment

Captcha