Security Headers
Plug-in to ease the setting of TLS headers for HSTS and similar
Overview
Compatibility
Installation instructions
Customer support & learning resources
Changelog
Main benefits
Control HTTP headers easily
Enhance website security
Mitigate clickjacking risks
Ensure certificate transparency
Re-enable XSS protection
About this plugin
Categories: Security
Version: 1.1
Last updated: 26-02-2019
WordPress version: 3.8.1
Tested up to: 5.1.19
PHP version required: 5.6
Languages:
Tags:
Overview
This WordPress plugin is designed to enhance the security of websites by offering crucial HTTP header management without the need to modify server configurations or use .htaccess files. It provides controls for implementing HSTS to enforce secure connections and prevent the bypassing of certificate warnings, and HPKP for an added layer of security beyond the Certificate Authority trust model. The plugin also facilitates disabling content sniffing to protect against unwanted file type interpretations, enabling XSS protection with a "block" option to thwart cross-site scripting attacks, and implementing X-Frame-Options to prevent clickjacking. Additionally, it offers configuration of Expect-CT to ensure Certificate Transparency, giving users the ability to protect their websites more comprehensively and maintain control over core security aspects directly from the WordPress admin interface.
HSTS (Strict-Transport-Security)
- Ensures future connections to a website always use TLS.
- Disallows bypass of certificate warnings for the site.
- Enhances security by enforcing secure connections.
HPKP (Public-Key-Pins)
- Provides an additional layer of security beyond the Certificate Authority trust model.
- Helps prevent man-in-the-middle attacks by pinning trusted public keys.
- Ensures that only specified public keys are accepted for the site.
Disabling Content Sniffing (X-Content-Type-Options)
- Prevents browsers from interpreting files as a different MIME type.
- Reduces risk of unexpected attacks from user-uploaded files.
- Ensures that content is handled in a predictable manner.
XSS Protection (X-XSS-Protection)
- Re-enables XSS protection if previously disabled by the user.
- Sets the 'block' option to prevent silent ignoring of attacks.
- Enhances site security by actively blocking cross-site scripting attacks.
Rating and reviews
krsi78
14 May, 2020
Just a quick warning: if you enable this plugin, the Tawk.to widget is no longer displayed in Chrome, Firefox and Safari. Edge is not affected (yet?).
flch
11 Feb, 2019
Works great and makes security much easier.
Thanks for this great plugin!
tone_milazzo
21 Jun, 2018
My topic can’t be empty so I’m writing this to fill it.
bozon
20 Jun, 2017
Works really well! Tested with [link removed]
For the future releases it would be good to include Content-Security-Policy and the forthcoming Expect-CT options.
This topic was modified 7 years, 1 month ago by bdbrown. Reason: Links not permitted in reviews
WebBever
26 May, 2017
Easy to use, works like a charm!