6 important HTTP Security Headers for web security

http security headers

What are http Security Headers?

HTTP security headers are fundamentally headers that ensure the mentioned and the mentioning program from executing pernicious code. That is, it secures both, you and your webpage’s client on the off chance that the web application is infused with pernicious code on the page.

HTTP security headers are served straightforwardly by the webserver for example Apache, Microsoft IIS, and so forth. In this way, for instance, take a situation where a page has been infused with pernicious iframe. Presently, when the server serves that vindictive website page to a client, it serves it alongside some HTTP security headers. On the off chance that the correct sort of http security headers are available (X-Frame-Options), they will prevent the client’s program from demonstrating that vindictive iframe.

HTTP security header response
http security header example

Check your http security headers?

CMS information from Tech Letter Box

Check with Astra’s Security Scanner

In the event that you wish to maintain a strategic distance from physically investigating security headers, there is an approach to computerize the procedure. In this way, to consequently check your site for suggested security headers in WordPress, utilize the free apparatus gave by Astra. To do as such, actualize the accompanying advances:

 Visit this link and enter your domain name in the Scan option.

Alongside checking security headers, this device can perform 40+ other security tests also. These tests include:

  • Google Safe Browsing
  • Content Security Policy
  • Header Security
  • Treat Security
  • CORS Tests
  • HTTPS Security

You can likewise utilize this instrument to check your site for Malware and SEO spam.

Some major suggested HTTP security headers for WordPress are as per the following:

HTTP Strict Transport Security (HSTS)

This security header guarantees that all the information is traded just utilizing the HTTPS convention. It works by guiding the programs to convey over HTTPS rather than HTTP.

Besides, to execute this suggested security header in WordPress site, follow these means:

For Nginx: Open the Nginx.conf record. Add the accompanying code to it and spare:

add_header Strict-Transport-Security max-age=31536000;

For Apache: Open the .htaccess file. Add the following code to it and save:

<VirtualHost 192.168.1.1:443>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</VirtualHost>

X-Frame Options

Clickjacking is a sort of malignant assault where the client is fooled into tapping on a straightforward iframe that at that point prompts certain activities on the site. The X-outline security header, accordingly, works by hindering that straightforward iframe.

Include this suggested http security headers in your WordPress site as follows:

For Nginx: Open the Nginx.conf document. Add the accompanying code to it and spare:

add_header X-Frame-Options "SAMEORIGIN" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
</IfModule>

X-XSS-Protection

Cross-site scripting is an assault where an assailant fools you into executing some noxious javascript code in your program. This is one of the suggested WordPress security headers that work by obstructing the pernicious code from taking your meeting treat. It utilizes different channels to decide whether the code is malignant.

You can include X-XSS security in your WordPress site by following these means:

For Nginx: Open the Nginx.conf document. Add the accompanying code to it and spare:

add_header X-Xss-Protection "1; mode=block" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
</IfModule>

X-Content-Type-Options

Frequently, it is very conceivable that the assailant may have transferred a content record with a pernicious HTML code. It might appear to be an innocuous book record however your program will naturally distinguish it as HTML and run the code. This security header, subsequently, works by preventing your program from deciphering the document something besides the pronounced substance type.

To include this suggested security header in WordPress site, do as follows:

For Nginx: Open the Nginx.conf record. Add the accompanying code to it and spare:

add_header X-Content-Type-Options "nosniff" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
</IfModule>

Referrer-Policy

A Referrer header contains the data with respect to the past website pages visited by a client explore to the current connection. This can be abused by an assailant or outsider to follow the client. To ensure the protection of clients, this is one of the suggested WordPress Security headers that can prove to be useful.

Include this suggested security header in WordPress site as:

For Nginx: Open the Nginx.conf document. Add the accompanying code to it and spare:

add_header Referrer-Policy "no-referrer";

For Apache: Open the .htaccess file. Add the accompanying code to it and save:

<IfModule headers_module>
        RequestHeader set X-HTTPS 1
        Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

Content Security Policy

Content security strategy security header essentially advises your program to run the assets just from explicit spaces. It is a decent practice to actualize one of these suggested security headers in WordPress as it can hinder the execution of vindictive code from different spaces.

Improve your site for content security strategy by following this:

For Nginx: Open the Nginx.conf record. Add the accompanying code to it and spare:

add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";

For Apache: Open the .htaccess file. Add the following code to it and save:

Header set Content-Security-Policy default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

Conclusion

Missing HTTP security headers are a significant security blemish. Output your site right currently to check for the missing headers. Given the advantages connected to executing security headers on your site, it needs not any more persuading. The article specifies just the most significant security headers, it not the slightest bit infers there aren’t more. There are other HTTP security headers like – Feature Policy, Expect-CT, and so forth you can design according to your requirements.

close
About Sachin Tiwari 80 Articles
I am a software engineer, and have an interest in web security or cybersecurity, love to learn in website security topic and sharing with others

Be the first to comment

Leave a Reply