When users visit your website, their browsers send HTTP requests to target websites’ servers. Then, the target server sends back HTTP response data. In this response, there is a part of the data that includes information and settings about performance, security, and the content of the website.
In this rule set, there are different rules such as performance, security, and connection. In this article, we will explain how you can take security measures on possible attacks such as cross-site scripting, brute force attacks, clickjacking, and how to view your site’s rules.
HTTP security header settings in WordPress
First, let’s talk about subsets that can be added to the HTTP header.
HTTP Strict-Transport-Security (HSTS)
HTTP Strict Transport Security header allows HTTPS to be used by rejecting requests that call your website as HTTP. In this way, the connection between the client and the server is encrypted and the clients can browse your website securely.
If you want to check your site’s HSTS setting, you can follow the link below:
X-XSS-Protection
X-XSS Protection header prevents cross-site scripting attacks on your site. In this way, you will protect your site from many possible attacks.
X-Frame-Options
X-Frame-Options is a header security set that prevents cyber attack attacks known as clickjacking or UI Redressing.
Possible options
X-Frame-Options: DENY | SAMEORIGIN | ALLOW-FROM (URL)X-Content-Type-Options
X-Content-Type-Options prevents tracking and changing mime-types in the response header sent by the server.
How to check the security headers on a website?
Checking via Security Headers website
If you want to check the headers activated on your website before applying the above security steps, you can follow the link below:
Checking via terminal command
You can also use the Linux terminal command below to check any website’s security header settings:
curl -head http://websitename.com
How to add HTTP security headers on a WordPress website?
Use a file manager to navigate to /wp-content/themes/<current-theme> on your WordPress files in the server, then add the following command into the functions.php file:
add_filter(‘wp_headers’, function($headers){
$headers[‘Strict-Transport-Security’] = ‘max-age=63072000; includeSundomains; preload’;
$headers[‘X-XXS-Protection’] = ‘1; mode=block’;
$headers[‘X-Frame-Options’] = ‘DENY’;
$headers[‘X-Content-Type-Options’] = ‘nosniff’;
$headers[‘Referrer-Policy’] = ‘no-referrer’;
return $headers;
}, 999);While enhancing security through HTTP headers at a basic level is as simple as that, we will deliver extended information about those headers, what they actually do, and their settings. So, stay tuned.