HTTP Security Headers in WP

HTTP Security Headers – What are they?

HTTP Security Headers in WordPress refer to various pieces of information transmitted from a server to a user’s browser. These headers play a pivotal role in enhancing web application security by providing directives on how to handle the page and its associated resources.

Typical health check in WP will produce the “Not all recommended security headers are installed” – issue.

It is imperative for web developers to meticulously configure these headers to ensure optimal protection against potential vulnerabilities.

How to edit Security Headers:

  1. Login to your host File Manager or connect to your server with FTP.
  2. Navigate to public_html.
  3. Edit the .htaccess file.

Required Security Headers for WordPress in 2024:

(Place the code above everything else in .htaccess):

# Security Headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS 
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "0"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Permissions-Policy "geolocation=(self), microphone=(self), camera=(self)"
# End Security Headers
  • HSTS – When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on.
  • X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed.
  • X-XSS-Protection – Instructs the browser on how to configure XSS protections. In this case we leave it in the hands of modern browsers.
  • Referrer header – Determines what info is sent to the domain of a link you’re clicking on.
  • X-Frame-Options – Can prevent your site from being embedded in another site, protects against ‘clickjacking’ attacks.
  • Permissions-Policy – Allows sites to more tightly restrict which origins can be granted access to browser features.

Mitigate the security vulnerabilities by implementing these necessary secure HTTP response headers.

Currently the following are the OWASP recommended headers:

  • HTTP Strict Transport Security
  • X-Frame-Options
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Clear-Site-Data
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Cache-Control

Fewer headers are still entirely valid and align with the security requirements set forth by WordPress. Some of the headers recommended by OWASP do not apply to WordPress and some are deprecated in newest versions of the platform.

Whenever configuring HTTP security headers, be aware of these common avoidable problems: