HTTP headers to improve web site security

Beschreibung

This plug-in helps setting up the various header instructions included in the HTTP protocol allowing for simple improvement of your website security.

This plug-in provides enabling of the following measures:

  • HSTS (Strict-Transport-Security)
  • CSP (Content-Security-Policy)
  • Clickjacking mitigation (X-Frame-Options in main site)
  • XSS protection (X-XSS-Protection)
  • Disabling content sniffing (X-Content-Type-Options)
  • Referrer policy
  • Expect-CT
  • Feature-Policy
  • PHP-Versionsinformationen aus dem HTTP-Header entfernen
  • WordPress-Versionsinformationen aus dem HTTP-Header entfernen

securityheaders.com ist eine nützliche Ressource für die Bewertung der Sicherheit Deiner Website.

As usual, make sure to understand the meaning of these options and to run full tests on your web site as some options may result in some features stop working.

Screenshots

  • Allgemeine Einstellungen Bildschirm.
  • Content-Security-Policy directives settings screen.
  • .htaccess contents screen.

Installation

  1. Lade die Plugin-Dateien in das Verzeichnis /wp-content/plugins/http-security hoch oder installiere das Plugin direkt über den WordPress Plugin-Bildschirm.
  2. Aktiviere das Plugin über den „Plugins“ -Bildschirm in WordPress.
  3. Verwende den Bildschirm Einstellungen -> HTTP Security, um das Plugin zu konfigurieren.

FAQ

Wie kann ich die Plug-In-Läufe effektiv testen?

Überprüfe die HTTP-Header Deiner Website.

Rezensionen

8. April 2020
As a rookie regarding WordPress security I was pretty lost about HTTP Security headers until I found this pluging. So far it seems to be working great for me, even though I had to do some extra research to set up the Content Security Policy and Feature Policy thanks to these links (even if they are a bit old). Maybe you could add them (or similar ressources) as references to create a CSP / feature policy for beginners like me ? Thanks Carl for the great plugin and keep up the good work !
24. Dezember 2019
This plugin is easy to use. It is confined to a limited set of options to set the http headers. It seems that the most important ones have been chosen since testing my website after installing and setting the plugin yielded an A+ score on securityheaders.com. The only thing missings is cache-control; this would boost the performance of my website even more. Thanks to the maker of this plugin, I feel my website is safe and up-to-par with other safe websites like banking platforms.
22. November 2019
Well im was going crazy all around the web searching for a way to protect my header i attemp to do almost everyting thats on the web to achieve this but on every scan i got this message: To improve the security of your site against some types of XSS (cross-site scripting) attacks, it is recommended that you add the following header to your site: X-XSS-Protection: 1; mode=block It is supported by IE (Internet Explorer) and Chrome. You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it: Header set X-XSS-Protection "1; mode=block" i even attemp to follow these instructions but even adding that code this warning was still showing well i installed this plugin and i will try it to see if it help with what i need to do buy i want to thank the plugin developer for this amazing tool playing around with the h.access file is no game, i will like to get in touch with this developer to check if im using the right configuration...
8. Juli 2019
If I could, I would give you 10 stars and dance at your wedding. You just saved me HOURS of work trying to figure out how to secure my site. After two hacks, I had enough and started securing it on my own. To slow and labor intensive (W3C school). Literally took me not even 5 minutes. So, THANK YOU, THANK YOU, THANK YOU.
30. Mai 2019
Really easy to set up, a lot of different options but still not hard to get into. The plugin does exactly what it is meant to do and does a great job at it! Adding a CSP to your site is only a matter of minutes with the plugin, but is a great addition to make your website secure against a lot of different attacks. Thanks a lot for the plugin!
4. März 2019
I've used this to implement http security headers on my WordPress site. Very easy to use and get good scores on evaluation sites. Content Security Policy seems to be an emerging technique to improve security. Its easy to implement using this plugin. Only one problem I've noticed: When I input data in the box for base-uri: and then check with Google CSP Evaluator it shoes all of the CSP values except for base-uri where it shows "base-uri;" regards of what's entered in the plugin. Base-uri doesn't fall back to the default-src directive so this shows up as an issue. Still deserves 5 stars for its ease of use.
Lies alle 12 Rezensionen

Mitwirkende & Entwickler

„HTTP headers to improve web site security“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:

Mitwirkende

„HTTP headers to improve web site security“ wurde in 8 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.

Übersetze „HTTP headers to improve web site security“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.

Änderungsprotokoll

2.5.6

  • Fixed some text escaping

2.5.5

  • Added missing text escaping

2.5.4

  • Added missing text escaping

2.5.3

  • Kleinere Fehlerbehebungen

2.5.2

  • Improved options sanitize

2.5.1

  • Kleinere Fehlerbehebungen

2.5

  • Mit WordPress 5.4 getestet
  • Added support for Feature-Policy

2.4.2

  • Mit WordPress 5.0 getestet

2.4

  • Added .htaccess instructions

2.3.2

  • Mit WordPress 4.9 getestet

2.3

  • Added support for Expect-CT
  • Cleaned up the interface

2.2

  • Switched to languages packs

2.1

  • Added support for Referrer-Policy directive
  • Added uninstall database cleanup

2.0

  • Added support for all Content-Security-Policy directives
  • Reworked the user interface

1.11

  • Added setting the mode for x-frame-options

1.10.7

  • Removed HSTS header when connected in HTTP

1.10.3

  • Fixed HSTS syntax warning

1.10

  • Added support for Content-Security-Policy

1.9

  • Added critical issues notifications

1.7.5

  • Added max-age option to HSTS setting

1.6

  • Added option to remove WordPress version information from the header

1.5

  • Added option to remove PHP version information from the HTTP header

1.4

  • Included link to submit site preload to browsers
  • Reduced HSTS max-age to one year

1.3

  • Added X-Frame-Options protection.
  • Added X-Content-Type-Options protection.
  • Added HSTS options.

1.1

  • Added XSS protection option.

1.0

  • Erste stabile Version, mit grundlegende HSTS-Unterstützung.