
Security Headers
Plug-in to ease the setting of TLS headers for HSTS and similar


Overview
Compatibility
Installation instructions
Customer support & learning resources
Changelog
Main benefits
Control HTTP headers easily
Enhance website security
Mitigate clickjacking risks
Ensure certificate transparency
Re-enable XSS protection
About this plugin
Categories: Security
Version: 1.1
Last updated: 26-02-2019
WordPress version: 3.8.1
Tested up to: 5.1.19
PHP version required: 5.6
Languages:
Tags:
Overview
This WordPress plugin is designed to enhance the security of websites by offering crucial HTTP header management without the need to modify server configurations or use .htaccess files. It provides controls for implementing HSTS to enforce secure connections and prevent the bypassing of certificate warnings, and HPKP for an added layer of security beyond the Certificate Authority trust model. The plugin also facilitates disabling content sniffing to protect against unwanted file type interpretations, enabling XSS protection with a "block" option to thwart cross-site scripting attacks, and implementing X-Frame-Options to prevent clickjacking. Additionally, it offers configuration of Expect-CT to ensure Certificate Transparency, giving users the ability to protect their websites more comprehensively and maintain control over core security aspects directly from the WordPress admin interface.
HSTS (Strict-Transport-Security)
- Ensures future connections to a website always use TLS.
- Disallows bypass of certificate warnings for the site.
- Enhances security by enforcing secure connections.
HPKP (Public-Key-Pins)
- Provides an additional layer of security beyond the Certificate Authority trust model.
- Helps prevent man-in-the-middle attacks by pinning trusted public keys.
- Ensures that only specified public keys are accepted for the site.
Disabling Content Sniffing (X-Content-Type-Options)
- Prevents browsers from interpreting files as a different MIME type.
- Reduces risk of unexpected attacks from user-uploaded files.
- Ensures that content is handled in a predictable manner.
XSS Protection (X-XSS-Protection)
- Re-enables XSS protection if previously disabled by the user.
- Sets the 'block' option to prevent silent ignoring of attacks.
- Enhances site security by actively blocking cross-site scripting attacks.