What are HTTP Security Headers?When a user visits a website through a web browser, the server reacts with HTTP Response Headers. These headers inform the web browser how to act throughout its interaction with the website. These headers generally consist of metadata such as cache control, status error codes, content-encoding, etc. By utilizing HTTP response headers, you can harden your website security and also prevent/mitigate attacks. For example, by adding the strict-transport-security, you can force all the latest web browsers like Google Chrome, Firefox and Safari to communicate with your website over HTTPS only. Let’s have a look at 6 HTTP security headers,
- HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)Let's say you have a site example.com, and you set up an SSL/TLS certificate to move from HTTP to HTTPS. Now you know that your website is accessible with HTTPS only. What if I tell you that your website is still accessible over HTTP? Yes, you heard it right. There are several scripts available that hackers use to open a website over HTTP. By utilizing the strict-transport-security, you can force all the latest web browsers like Google Chrome, Firefox and Safari to communicate with your website over HTTPS only. So if an attacker tries to open your WordPress site over HTTP, the web browser wouldn’t load the page.
X-XSS ProtectionX-XSS, also known as cross-site scripting, is a security header that protects sites against cross-site scripting. By default, this security header is built in and enabled into modern web browsers. Implementing it will force your browser to load it. This security header wouldn’t let a page load if it detects a cross-site scripting attack.
X-Content-Type-OptionsThe X-Content-Type-Options is a kind of security header with the value of nosniff that prevents Google Chrome, Internet Explorer and Firefox from MIME-Sniffing a response away from the declared content type. This security header protects the content and reduces the risk of drive-by downloads.
X-Frame OptionsThe x-frame-options header protects sites against clickjacking by not enabling iframes to fill on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+ and Safari 4+. In this method, an attacker fools a user into clicking something that isn't there. A user may believe that he/she is on the main site; however, something else is running in the background. This way, hackers can steal information from your web browser.
Referrer-PolicyWhen a user visits a website, immediately a "Referrer" header is included that informs the server where the visitor is originating from. This header is utilized for analytical functions. As you comprehend, this presents a personal privacy issue. This can be prevented by adding Referrer-Policy to your WordPress site.
Feature-PolicyFeature Policy is a kind of security header that allows website owners to allow and disallow specific web platform functions on their own pages and those they embed. Utilizing the Feature-Policy header, you as a site owner can restrict the web browser functions for a site. For every single function, you must specify what's allowed and what's not. Here are the Feature Policies:
Feature-Policy: geolocation ‘none’ ; camera ‘none’By specifying the ‘none’ word for the origin list, the specific feature(s) will be disabled for all browsers contexts. Note:
- Before you add HTTP security headers in your WordPress site, make sure you have an SSL certificate installed or else your site wouldn’t be accessible.
- Before you edit any of your files, make sure to take a full backup.
How to Add HTTP Response Headers in WordPressTo add HTTP response headers in WordPress, you just need to add the following lines into your .htaccess file. First, log in to your WordPress hosting cPanel account and from there go to the root folder of your WordPress site. Then, find the .htaccess file and edit it. As it is a (.) file, it can be hidden. If you can’t find the .htaccess file inside the root folder, go to settings and click on “show hidden files”. Now add the following piece of lines at the end:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always append X-Frame-Options SAMEORIGIN Header Referrer-Policy: no-referrer-when-downgradeOnce added, save the file. Now, go to securityheaders.com to check whether the code is working or not.