HTTP Security Headers

Content-Security-Policy (CSP)

The Content-Security-Policy (CSP) header allows website administrators to control which resources a user agent (typically a browser) is allowed to load for a given page. By explicitly defining allowed sources, CSP helps prevent security risks such as Cross-Site Scripting (XSS), and information disclosure.

Common Issues and How to Fix Them

• Warning: When you encounter CSP-related issues, the browser’s devtools console may log messages like:
  • “The page’s settings blocked the loading of a resource.”
  • “A violation occurred for a report-only CSP policy.”
• Fix: Review your CSP configuration and ensure that it doesn’t inadvertently block necessary resources. Use the frame-ancestors directive instead of the deprecated X-Frame-Options header for supporting browsers.

Strict-Transport-Security Header (HSTS)

The HSTS header informs browsers that a site should only be accessed via HTTPS. Any attempts to access it using HTTP are automatically redirected to HTTPS. This prevents man-in-the-middle attacks during initial connections.

Key Features

• DENY: Prevents loading the page in a frame from any site.
• SAMEORIGIN: Allows framing only if the site including it is the same as the one serving the page.

Preloading HSTS into Chrome

• To add your site to the HSTS preload list, use the header: Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload.
• Ensure that max-age is at least 1 year (31536000 seconds) and includeSubDomains is present.

X-Content-Type-Options

The X-Content-Type-Options header prevents MIME type sniffing by specifying that the MIME types advertised in the Content-Type headers should not be changed.

Usage

• Set the header to nosniff to block requests where the MIME type doesn’t match the expected type (e.g., non-CSS files loaded as stylesheets).

X-Frame-Options

The X-Frame-Options header controls whether a browser can render a page within a frame or iframe. It prevents clickjacking attacks by ensuring that content isn’t embedded into other sites.

Directives

• DENY: Blocks framing from any site.
• SAMEORIGIN: Allows framing if the site including it is the same as the one serving the page.

Referrer-Policy

The Referrer-Policy header controls how much referrer information (sent via the Referer header) should be included with requests.

Recommendation

• Use strict-origin-when-cross-origin to send only the origin to other sites.

Certainly! Let’s delve into implementing security headers in WordPress and how to modify the .htaccess file to enhance your website’s security. Security headers play a crucial role in safeguarding your site against common threats. I’ll guide you through the process step by step.

Implementing Security Headers in WordPress

Using Sucuri

1. Sign Up for Sucuri:

• Create an account on Sucuri.
• Install the Sucuri plugin on your WordPress site.

1. Configure Sucuri:

• In the Sucuri plugin settings, enter your Firewall API key.
• Choose the desired set of rules for HTTP security headers.
• Save the changes.

Using Cloudflare

Set Up Cloudflare:

• Sign up for a Cloudflare account.
• Add your domain to Cloudflare and configure DNS settings.

Configure Security Headers:

• In your Cloudflare dashboard, navigate to the Page Rules section.
• Create a new rule for your WordPress site.
• Add the desired security headers (e.g., HSTS, X-Frame-Options) as custom rules.

Modifying .htaccess File

Access .htaccess:

• Log in to your WordPress site via FTP or cPanel.
• Locate the .htaccess file in your site’s root directory.

Add Security Headers:

• Open the .htaccess file for editing.
• Add the following code snippets to enable specific security headers:

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

# X-Frame-Options
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

# X-Content-Type-Options
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>


Save Changes:

• Save the modified .htaccess file.

Checking Security Headers

Tool

You can assess your site’s security headers using securityheaders.com.

Conclusion

By implementing these security headers, you’ll enhance your WordPress site’s resilience against common threats. Remember to tailor the headers to your specific needs and stay informed about evolving security practices.

References

1. OWASP Cheat Sheet: HTTP Headers
2. LoginRadius: HTTP Security Headers
3. Search Engine Journal: HTTP Security Headers