{"id":41920,"date":"2022-12-26T15:00:18","date_gmt":"2022-12-26T14:00:18","guid":{"rendered":"https:\/\/qodeinteractive.com\/magazine\/?p=41920"},"modified":"2022-12-26T09:29:23","modified_gmt":"2022-12-26T08:29:23","slug":"http-security-headers-wordpress","status":"publish","type":"post","link":"https:\/\/qodeinteractive.com\/magazine\/http-security-headers-wordpress\/","title":{"rendered":"7 Must-Use HTTP Security Headers for WordPress"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]When looking at any half-decent <a href=\"https:\/\/qodeinteractive.com\/magazine\/ultimate-wordpress-security-checklist\/\">WordPress security checklist<\/a>, the long line of things you could be doing to keep your website safe sure makes it look like the internet isn\u2019t a safe place to be. Then again, how great it is to have all those various <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-security-plugins\/\">security plugins<\/a> and practices to keep your website safe? Whether you need <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-identity-theft-protection-services-for-small-businesses\/\">identity theft protection services<\/a>, <a href=\"https:\/\/qodeinteractive.com\/magazine\/best-free-wordpress-online-security-scanners\/\">online security scanners<\/a>, or ways to <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-protect-your-wordpress-website-from-ddos-attacks\/\">protect your website from DDoS attacks<\/a> and <a href=\"https:\/\/qodeinteractive.com\/magazine\/what-is-malvertising-wordpress\/\">avoid malvertising<\/a>, there\u2019s something you can do about it. And if you\u2019re looking for ways to make your website even more secure, there are also HTTP security headers your WordPress website could use.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]As far as website security goes, however, employing HTTP headers might not be the best-known method of keeping your website safe. Don\u2019t worry, though \u2013 we\u2019ll provide you with the most useful information about HTTP security headers and how your website can use them. So stick around, and read about:<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#what-is-an-http-security-header\">What Is an HTTP Security Header?<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#the-best-http-security-headers\">What Are the Best HTTP Security Headers for WordPress?<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;5px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><a href=\"#add-http-security-headers-to-wordpress\">How to Add HTTP Security Headers to WordPress<\/a><\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;80px&#8221;][vc_widget_sidebar sidebar_id=&#8221;new-top-picks-banner&#8221;][vc_empty_space height=&#8221;80px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"what-is-an-http-security-header\"><\/a>What Is an HTTP Security Header?<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2022\/08\/Where-Can-You-Get-PHP-Accelerators.jpg\" class=\"attachment-full size-full\" alt=\"Where Can You Get PHP Accelerators\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2022\/08\/Where-Can-You-Get-PHP-Accelerators.jpg 970w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2022\/08\/Where-Can-You-Get-PHP-Accelerators-300x171.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2022\/08\/Where-Can-You-Get-PHP-Accelerators-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2022\/08\/Where-Can-You-Get-PHP-Accelerators-620x354.jpg 620w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]To get to what HTTP security headers are and why your WordPress website might need them, we first need to cover what HTTP headers are and what they do. Whenever someone tries to access your website via a browser, the browser sends a request to your server, asking it to serve up the information needed to, for example, display a page or a post.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]When that request goes out, it includes two components \u2013 a request line that details what is requested, and HTTP headers. <strong>Request headers might, for example, instruct on the preferred version of the content, provide information on the preferred type of connection, signal caching policies, and do many more things.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]A server that receives the request sends out the response, which starts with a status line, followed by response headers, and finally the contents of the reply \u2013 the information about the page. <strong>In this case, HTTP headers can supply information about the content, including when it was last modified, for example. HTTP headers can also inform about the content caching policy<\/strong> \u2013 that\u2019s what <a href=\"https:\/\/qodeinteractive.com\/magazine\/wordpress-add-expires-headers\/\">expires headers<\/a> do.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>You can see by now that HTTP headers give more information during the exchange of information between a browser and a server.<\/strong> The information can be used to help authentication purposes, caching, storage, managing the connection, setting of cookies, and many more things \u2013 including security.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>So, HTTP security headers are HTTP headers that help harden your website against all sorts of online attacks and make it more secure for both you and the people who visit your website.<\/strong> If you\u2019re still not sure about what they are and what they do, however, things might get clearer once we dive into specific security headers you should use for your WordPress website.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"the-best-http-security-headers\"><\/a>What Are the Best HTTP Security Headers for WordPress?<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/12\/Installing-Security-Plugins.jpg\" class=\"attachment-full size-full\" alt=\"Installing Security Plugins\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/12\/Installing-Security-Plugins.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/12\/Installing-Security-Plugins-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/12\/Installing-Security-Plugins-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/12\/Installing-Security-Plugins-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]The best way to understand what HTTP security headers do is to go through a handful of them and explain what they\u2019re used for. To that effect, we\u2019ve created a list of some of the most useful HTTP security headers for WordPress you could implement on your website.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">HTTP Strict Transport Security \u2013 HSTS<\/h3>\n<p>[\/vc_column_text][vc_column_text]HTTP Strict Transport Security, often referred to as HSTS, is an HTTP security header you can <strong>use to prevent downgrading from an encrypted connection to your website \u2013 a connection made using HTTPS \u2013 to an unencrypted and less secure connection.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]An unencrypted connection is vulnerable to various man-in-the-middle attacks, and there are various reasons a visitor might use the less secure type of connection, from clicking on an old link to browsers defaulting to the less secure version when the encrypted version isn\u2019t written out.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]If your website has an HSTS security header, it will respond to the first request from your website with information that the addresses on your website should only be opened using the encrypted connection. <strong>In essence, HSTS forces a secure connection.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Content Security Policy \u2013 CSP<\/h3>\n<p>[\/vc_column_text][vc_column_text]Content Security Policy is an added layer of protection your website can use against cross-site scripting, data injections, and clickjacking attacks. <strong>To do so, the CSP HTTP security header specifies which resources can be loaded to display any specific page.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]In practice, this means that you\u2019ll have to create a policy with a bunch of directives that specify from which locations a user agent \u2013 a browser, for example \u2013 might download certain resources, or to which location they can navigate or use as targets for form submission, or even restrict plugins which can be embedded into a document.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]As you might imagine, creating a Content Security Policy can be a challenging task. <strong>Web developers can also use the Content Security Polity Report Only header which only monitors the possible effects of policies without actually enforcing them.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Cross-Origin Resource Policy \u2013 CORP<\/h3>\n<p>[\/vc_column_text][vc_column_text]If you want to prevent the resources from your website from being loaded on other pages \u2013 <strong>which you might do if you want to stop hackers from taking advantage of cross-site leaks<\/strong> \u2013 then having a Cross-Origin Resource Policy header, or CORP, comes highly recommended.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>With CORP, you can set loading rules for every resource on your website.<\/strong> There are three types of rules you can set using this header:[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Same-origin<\/strong>, which allows the resource to be loaded only by same-origin pages.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Same-site<\/strong>, which allows the resource to be loaded on all subdomains of a single site.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Cross-site<\/strong>, which allows the resource to be loaded on other sites.<\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;28px&#8221;][vc_column_text]Keep in mind, however, that CORP doesn\u2019t prevent access to those resources by simply navigating to them.<br \/>\n[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Cross-Origin Opener Policy \u2013 COOP<\/h3>\n<p>[\/vc_column_text][vc_column_text]Another way to reduce the chance of your website being a target of cross-site leaks is to <strong>make sure that same-origin documents are loaded in a separate browsing context than cross-origin documents<\/strong>. This is something the Cross-Origin Opener Policy, COOP, header might help you with.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]COOP has three different directives:[\/vc_column_text][vc_empty_space height=&#8221;22px&#8221;]<ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Unsafe-none<\/strong>, which is the default directive that allows adding the document to an existing browsing context group unless that group has any of the two other directives.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Same-origin-allow-popups<\/strong>, a directive you can set if your website uses popups that transfer data across windows.<\/span>        <\/div>\n            <\/li>\n<\/ul><ul class=\"qodef-unordered-list-item qodef-toc\">\n    <li>\n\t        <div class=\"qodef-ul-title-holder\">\n            <span class=\"qodef-ul-title-content\"><strong>Same-origin<\/strong> is the strictest directive that puts same-origin documents into a browsing context that can\u2019t be accessed by cross-origin documents.<\/span>        <\/div>\n            <\/li>\n<\/ul>[vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">Cross-Origin Embedder Policy \u2013 COEP<\/h3>\n<p>[\/vc_column_text][vc_column_text]When you want to restrict the cross-site resources your documents can load only to the ones that give it strict permission, you use the Cross-Origin Embedder Policy \u2013 COEP. <strong>When you set the directive of this header to \u201crequire-corp,\u201d only the resources that are allowed so using CORP will be loaded in a document.<\/strong> Alternatively, if the resource supports the CORS protocol, it might be used to decide its eligibility to be opened.[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">X-Content Type Options<\/h3>\n<p>[\/vc_column_text][vc_column_text]<strong>The Content-Type header is an HTTP header that denotes information about the media type of a resource.<\/strong> When this information is ignored, the resource can be used in a way that\u2019s not intended, for example, to execute scripts in the form of a cross-site scripting attack.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]The X-Content Type Options security header is used to let the browser know that they shouldn\u2019t ignore the MIME type set in the Content-Type header. <strong>This security header is another one you should be using on all of your resources \u2013 along with correct Content-Type headers.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;72px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h3 class=\"qodef-h5\">X-Frame Options<\/h3>\n<p>[\/vc_column_text][vc_column_text]Clickjacking is a type of attack where someone can use a decoy page \u2013 let\u2019s way one from your website \u2013 to get a user to click on something on their page, which is typically hidden behind your decoy page. <strong>One of the ways attackers can do this is by rending your pages using &lt;frame&gt;, &lt;iframe&gt;, &lt;embed&gt;, or &lt;object&gt;.<\/strong>[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]You don\u2019t have to allow for that, of course. <strong>You can use the X-Frame Options security header to deny this type of rendering.<\/strong> You should do so on all the documents that aren\u2019t created specifically for embedding.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\"><a id=\"add-http-security-headers-to-wordpress\"><\/a>How to Add HTTP Security Headers to WordPress<\/h2>\n<p>[\/vc_column_text][vc_empty_space height=&#8221;21px&#8221;]<div class=\"qodef-single-image-holder    \">\n    <div class=\"qodef-si-inner\" >\n                                    <img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"554\" src=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/01\/Whats-a-Code-Editor-and-When-to-Use-One.jpg\" class=\"attachment-full size-full\" alt=\"What\u2019s a Code Editor and When to Use One\" srcset=\"https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/01\/Whats-a-Code-Editor-and-When-to-Use-One.jpg 969w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/01\/Whats-a-Code-Editor-and-When-to-Use-One-300x172.jpg 300w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/01\/Whats-a-Code-Editor-and-When-to-Use-One-768x439.jpg 768w, https:\/\/qodeinteractive.com\/magazine\/wp-content\/uploads\/2021\/01\/Whats-a-Code-Editor-and-When-to-Use-One-620x354.jpg 620w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/>                        <\/div>\n<\/div>[vc_empty_space height=&#8221;38px&#8221;][vc_column_text]When it comes to adding security headers, you should know that some are more difficult for adding and configuring than others. <strong>This being WordPress, you\u2019ll have the option to use plugins to help you out.<\/strong> It might not be the most desirable way to implement security headers, but it\u2019s probably the easiest. The plugins that come recommended for these purposes include <a href=\"https:\/\/wordpress.org\/plugins\/redirection\/\" target=\"_blank\" rel=\"noopener\">Redirection<\/a> and the pro version of <a href=\"https:\/\/wordpress.org\/plugins\/really-simple-ssl\/\" target=\"_blank\" rel=\"noopener\">Really Simple SSL<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;28px&#8221;][vc_column_text]<strong>If you want to avoid using plugins altogether, you can go straight to the core and edit the .htaccess or Nginx.conf file, depending on the type of server you have.<\/strong> You\u2019ll need to do little else except add a line or a few lines of code for each of the headers, depending on which ones you want to implement. And finally, if you\u2019re <a href=\"https:\/\/qodeinteractive.com\/magazine\/how-to-set-up-cloudfare-for-wordpress\/\">using Cloudflare<\/a>,<strong> you should know that it has its ways to let you add security headers<\/strong>, that save you from having to go into your server configuration file or download new plugins.[\/vc_column_text][vc_empty_space height=&#8221;68px&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2 class=\"qodef-h4\">Let\u2019s Wrap It Up!<\/h2>\n<p>[\/vc_column_text][vc_column_text]HTTP Security Headers are simple lines of code you can use to greatly improve the safety and security of your website. Some might be complicated to write, and others might work well only in addition to existing security practices, but it\u2019s hard to find a security header that\u2019ll do you more harm than good \u2013 especially on a list of must-use HTTP security headers for WordPress. So check your website for the headers it already uses, and carve out the time to add the ones it still needs.<br \/>\n[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Want to improve your website&#8217;s security with HTTP security headers? We&#8217;ll show the best ones for adding an additional layer of security to your site!<\/p>\n","protected":false},"author":9295,"featured_media":41936,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[337,34,39,13],"class_list":["post-41920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-http","tag-security","tag-tools","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/41920","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/users\/9295"}],"replies":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/comments?post=41920"}],"version-history":[{"count":0,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/41920\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media\/41936"}],"wp:attachment":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media?parent=41920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/categories?post=41920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/tags?post=41920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}