Security HTTP Headers

Informing the browser of the user who visits our page to allow you to do some tasks is common, and we should also inform you of what you can or cannot do in terms of security.

And we can do this by adding some security headers to our WordPress through configurations in Apache HTTPD or NGINX (the web server) or with some plugins.

Here we are going to look at some of those headers to know what they are for and how they are used.

Strict-Transport-Security (HSTS)

Defined in RFC 6797, the HSTS is a header that indicates that the browser must use HTTPS yes or yes on the site, and that it cannot use HTTP at all. In this case the HTTP requests would be ignored.

We must indicate how long we want the browser to remember that this site must be visited safely. We may also tell you whether the subdomains on that site must also comply with this rule.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;

With this we would say that for a year you have to comply with the HTTPS rule and that the subdomains also have to comply with it.

You can validate whether the HSTS is being loaded correctly with the hstspreload.org tool.

X-Frame-Options (XFO)

Defined in RFC 7034, the XFO defines whether a page should include another page in the tags <frame>, <iframe>, <embed> or <object>.

Basically it allows you to report two options: deny or sameorigin. In the first case nothing would be loaded, in the second only content that comes from the same site would be allowed. If you indicate the header you can load content from anywhere.

X-Frame-Options: sameorigin;

X-Content-Type-Options

With this header we prevent the browser from interpreting one type of file as another. For example, if we send a <style>, it should be read as text/css, or a script as such. It also helps texts to be processed as such (HTML, TXT, XML, JSON, even SVG).

X-Content-Type-Options: nosniff

Content-Security-Policy (CSP)

Surely this is the most complex header to configure, both for what it means and for the number of options it includes.

With this header we can indicate which resources can be accessed by the browser for a website and that allow to block the loading of external elements or uncontrolled sites.

Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none';

The list of directives is quite extensive and allows you to decide on the loading of scripts, fonts, media, styles and even workers.

Before starting to use it, it is highly recommended to configure the system as Content-Security-Policy-Report-Only, since it will allow you to see errors or misconfigurations in the Browser Console, but without affecting the user, only for informational purposes.

Once all the external calls are found, this system can help convert that header to the normal one.

X-XSS-Protection

In the event that you don’t use CSP yet, this header can still be useful. With this header, if the browser detects an XSS attack, the corresponding actions will be performed.

X-XSS-Protection: 1; mode=block;

X-Permitted-Cross-Domain-Policies

This header is practically only to indicate whether or not Adobe Flash Player can access certain elements of the user. Considering that this software is no longer available, this header should be indicated especially if your site has high access from very old browsers that still support it or if you still use Flash for something.

X-Permitted-Cross-Domain-Policies: none;

Referrer-Policy

With this header we indicate what information to send from referrer. A very common case is that of the acquisition of Google Analytics traffic, in which we can see from which pages traffic arrives to our website.

There are several options for this policy and it will depend a lot on the information you want to give to other tools and for security.

Referrer-Policy: strict-origin-when-cross-origin, origin-when-cross-origin;
Samesite https →httpshttps → http policy
no-referrernothing nothing nothing
no-referrer-when-downgradecompletecompletenothing
origindomaindomaindomain
origin-when-cross-origincompletedomaindomain
same-origincompletenothingnothing
strict-origindomaindomainnothing
strict-origin-when-cross-origincompletedomainnothing
unsafe-urlcompletecompletecomplete

Cross-Origin-Resource-Policy (CORP)

This header allows you to indicate the origin of a resource and is a simple system to defend against certain attacks.

In addition, it is accompanied by the counterparty Access-Control-Allow-Origin that decides whether an element of a site is allowed to be called from another.

Cross-Origin-Resource-Policy: same-origin;

If your site returns this header, it will not allow access to external resources.

Access-Control-Allow-Origin

With this header we can indicate which sites have the possibility to download our contents. With this system we can block the upload of an image of our site on a third-party site.

Access-Control-Allow-Origin: https://www.wpsysadmin.com;

Cross-Origin-Opener-Policy (COOP)

This system prevents the opening of external elements from another domain other than the one you indicate. A case could be opening a PDF from a popup outside your site.

Cross-Origin-Opener-Policy: same-origin;
Cross-Origin-Embedder-Policy: require-corp;

Cross-Origin-Embedder-Policy (COEP)

This header is designed to allow or block the loading of external content and that complies with the CORP. A common example is uploading an image from another domain other than your own.

Cross-Origin-Embedder-Policy: require-corp;
Cross-Origin-Opener-Policy: same-origin;

Permissions-Policy

Although not yet covered by all browsers, with these headers we can tell the browser whether or not to allow access to certain hardware elements of our device, for example, if we can access the camera or battery information.

Permissions-Policy: geolocation 'self' https://example.com; camera *; microphone 'none';

X-Download-Options

Although this header was created specifically for Internet Explorer 8, it can be quite useful when downloading a file.

If you have a download system on your site, you may want to prevent that download from opening directly and force it to be saved to disk (and so, for example, that the antivirus does a complete review of it).

X-Download-Options: noopen;
Content-Disposition: attachment; filename=inseguro.html;

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.