HSTS / HTTP Security Headers and WordPress

After giving SSH a hardening makeover, I’ve discovered something new. Apparently, HTTP Strict Transport Security (HSTS) and all kinds of HTTP Security Headers is pretty hot at the moment. It has been for a while actually, but more people are adopting it nowadays. For WordPress, that I’m running, it is rather easy to setup.

Stuff like this is awesome. Everytime you think your server is secure, you discover something new that needs fixing or patching. Take this HSTS. It seems such a small piece on a very large scale, but still, when you pull your site and server through a site like securityheaders.io, you’ll be amazed about how far off from ‘secure’ you are.

I really believe that small things like these shouldn’t be neglected. Always be on edge and fix these kind of things.

HSTS in WordPress

If you like easy and don’t feel like altering your page sources, use a plugin. There are a couple, I’m using HTTP Headers and it does the job just great. Before editing your settings, do a test at securityheaders.io and you’ll probably be disappointed by the results. So let’s make things better, right?

With these basic settings you’ll do a lot better:

X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=edge,chrome=1
Strict-Transport-Security: max-age: 31536000; includeSubDomains
Referrer-Policy: no-referrer-when-downgrade
Access-Control-Allow-Origin: HTTP_ORIGIN
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: Origin
P3P: CP="CAO PSA OUR"

With the plugin you can even tweak a lot more, you’ll have to explore the settings and see what works and doesn’t for your website. As always, don’t goof around with mission critical systems. Just make your change and test your website. Rinse, repeat. When in trouble, just revert to your previous setting. Be sure to test with different browsers and systems.

The only real hard part to implement, is the Content-Security-Policy. Check out some examples here. I’ll fine tune this later, for now the above settings will do. I went from a F grade to an A grade at securityheaders.io.

UPDATE: Check how to do it in a plain HTML site.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.