WordPress powers over 29.3 percent of the entire internet, so it’s no surprise websites using WordPress are a common target for hackers. While the WordPress Security Team does a fantastic job staying on top of vulnerabilities, there are numerous other precautions that can be taken. One example is Secure HTTP response headers.

What Are HTTP Response Headers?

When you access a website, the browser makes a request to a web server. The server then responds with the request along with “response headers”. These headers pass information such as cache-control, content-encoding, content-type, connection, date, etc.

Adding secure HTTP response headers provides an additional layer of security by helping to mitigate attacks and security vulnerabilities. These headers can be added at the server level in Apache, NGINX, and others. The issue is that many times access to the files will be restricted by the hosting company or beyond a persons technical comfort zone.

On this site, I’m adding the secure headers via the WordPress functions.php file as follows:

I can also add those secure header via .htaccess file as following:

At a very basic level, here is what each of these responses are doing:

  • Strict-Transport-Security enforces the use of HTTPS. This is important because it protects against passive eavesdropper and man-in-the-middle (MITM) attacks.
  • X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via  <frame><iframe> or  <object>.
  • Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
  • X-Content-Security-Policy is required for CSP support in IE 10 and IE 11. For other modern browsers the Content-Security-Policy header should be used.
  • X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
  • X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
  • Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.

If you want to dig in a bit deeper and learn more, SecurityHeaders.io is a great place to start.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.