HTTP Headers

I am finding this a very effective tool to help clients reach security compliance. There is one glitch I believe, however, is with the x-content-type-options. Once you enable this the only option is “nosniff”. And once enabled, there is no way to reset it. And unfortunately i believe this setting is creating errors on my site. I can’t even seem to find the line for it in my .htaccess file. Any recommendations?

I have felt this has been excellent since the first time I used it, and absolutely no issues with it for what it is, except that there are a couple of headers that either need to be ‘marked deprecated’ or just removed. My immediate spot of these are the, Features header, P3P header and the Expect-CT (which is still around, but Mozilla recommend not using). There may be others. There are a bunch of things that I might suggest as improvements, but this is to move the tool forward a bit. For instance: It would be great if it could display the highlighted state of the current Apache/Nginx code and the status of the security (as per securityheaders.com form) alongside/under it, so you could see the evolution of the security header set up arrangements as you add/remove them. Could be useful to have some in-built documentation on these things (particularly with the P3P header, those little summary items were impossible to figure out without going back and forth, but for other things like cache-control, or accept-expose-headers, some labelling could help). That said, for advanced users anyway, so perhaps less important. Further to that, it might be useful to have an indication of what OWASP, Scott Helme, and Mozilla recommend and/or warnings for ones that are problematic for security or high risk with labels on them. There are a few things that have odd formatting, so it is not obvious how to transpose the information for the reporting one over from how the header is laid out, since there are different ones for this. In this you have the report header that is normally used (as per report-uri site from Scott Helme) but it does not fit there. However, it has a group called ‘csp-element’ or something similar that might be clearer as to its use elsewhere). There is also the display of custom headers that are all grouped into one thing, and not spread out in a useful way if you want to review them. Odd grouping in a couple of places, so custom headers I might have given its own block for instance, and to have two items in one and even one in one grouping is a bit pointless. On another note, it is a shame that there is not a tool that is so effective that does this kind of thing for WordPress and just outputs the BIND9 detail for DNS resource records. A combination of this and that, with the ability to adjust PHP and Apache settings would be the most amazing tool ever. For what this does, however, is sets the foundations for a great security setup.

Simply and useful

Great tool. Novices, beware, the myriad of settings is a bit daunting at first so you need to dive into the subtleties of Header settings, specifically the ones that address security settings for your site. A good resource for the broad variety of settings for Content Security Policy as well as other important Header settings such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy and Permissions Policy can be found at cheatsheetseries owasp org. Take your time working out which settings work best for your site. Getting a good rating at securityheaders com will reward you for your efforts. While the tool respects your initial .htaccess content it’s a good idea to backup your .htaccess before saving and applying the plugins settings.

Been using this for well over a year now. Works like a champ with custom themes, wide variety of plugins, and page builder themes. Of course, we keep all of these updated. The settings dashboard is very user-friendly. Much easier than adding these manually. Thank you! This topic was modified 10 months, 1 week ago by KrackMedia.