HTTP Headers for Security - How to change HTTP headers in WordPress

HTTP Headers for Security - How to change HTTP headers in WordPress

Do you want to set HTTP security headers in WordPress? (X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security

After last workshop about security I wanted to check how to use the knowledge in live project.

To check how it works I’ve tried to use two scenarios:

  1. https://developer.wordpress.com/docs/tutorials/add-http-headers/ - to change HTTP Headers using custom-redirects.php file

  2. https://docs.wpvip.com/infrastructure/http-headers/ - to change HTTP Headers using functions.php file

None of them worked on my side…

But finally I’ve found a plugin: https://wordpress.org/plugins/http-headers/

How to check HTTP Headers

To check important from security side HTTP Headers it’s good to use this website:

https://securityheaders.com

Website gives you information about used by domain Security Headers.

Starting point for piotr-sikora.com

Below you can see that scanning of my website looked like one big red flag.

Additionally I wanted to be sure that my headers are available so I’ve created a short Jupyter Notebook in Python:

import requests

url = "https://piotr-sikora.com"

response = requests.get(url)

# Print all headers
for header in response.headers:
    print(header, ":", response.headers[header])
    # print(header)

After running this code list of my headers:

Server : nginx
Date : Sun, 01 Sep 2024 14:39:16 GMT
Content-Type : text/html; charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
X-Powered-By : PHP/8.1.29
Link : <https://piotr-sikora.com/wp-json/>; rel="https://api.w.org/"

Check if securityheaders.com has proper HTTP Headers

The shoemaker’s son always goes barefoot so… let’s check if the website itself has all HTTP Headers set as well:

… and let’ treat it as a goal for a website.

Installation of HTTP Headers plugin and configuration

First of all I’ve installed WP Plugin:

https://wordpress.org/plugins/http-headers/

After checking the report, I began changing the appropriate headers step by step. You can see the settings in the plugin:

After that I’ve entered first link - SECURITY:

Each listed header has a set of options ready to use. To access them, click ‘Edit’ at the end of the line. For example, the X-Frame-Options header.:

X-XSS-Protection header:

Final result - Score B

After all changes possible with HTTP Headers WordPress plugin report from :

And from Jupyter Notebook script:

Server : nginxDate : Sun, 01 Sep 2024 15:26:25 GMTContent-Type : text/html; charset=UTF-8Transfer-Encoding : chunkedConnection : keep-aliveX-Frame-Options : SAMEORIGINX-XSS-Protection : 1; mode=blockStrict-Transport-Security : max-age=2592000Content-Security-Policy : default-src https:; script-src https:; style-src https:; img-src https:; connect-src https:; font-src https:; media-src https:; report-uri https:; child-src https:; form-action https:; frame-ancestors https:; object-src https:; frame-src https:; worker-src https:; manifest-src https:; navigate-to https:; prefetch-src https:; base-uri https:Referrer-Policy : same-originPermissions-Policy : autoplay=()X-Powered-By : PHP/8.1.29Link : https://piotr-sikora.com/wp-json/; rel="https://api.w.org/"

X-Content-Type-Options X-XSS-Protection X-Frame-Options Referrer-Policy Permissions-Policy Strict-Transport-Security

cybersecurityhttphttp-headershttp-security-headerspermissions-policyreferrer-policysecuritystrict-transport-securitywordpressx-content-type-optionsx-frame-optionsx-xss-protection