Which security headers can I use for my site, what do they do and how do I install them?

Len, June 5, 2020

To improve your website security, it is possible to install security headers. However, it is necessary to determine these for your website in advance in order to prevent problems.

Check which security headers are missing

Security headers can be implemented via the server, or via your website. If you are using a WordPress security plugin, they may already be implemented.

To see which headers your website is using, you can use this tool. The ‘Security Headers’ website determines which headers you are using. A result for a website without specific security headers can look like this:

Security Headers

Explanation of different security headers

The security headers website already gives a good explanation, we have extra additions for the different headers:

Strict-Transport-Security (HSTS)

By implementing this header you indicate that the site cannot be used when the certificate is invalid. This prevents people’s data from being stolen when a hacker in a local network is spoofing your website. We recommend the data that the security headers website indicates in the results.

Content-Security-Policy

Prevents loading scripts on your website that have nothing to do with your site. If your website is hacked, and the hacker has implemented code pointing to another domain, this rule prevents the code from being executed.

X-Frame-Options

Prevents your website from being embedded on another website. As a result, people will only be able to use functions on your site if they actually access them through your domain. Again, we recommend the information provided by the security headers website, unless your website should be available from being accessed from another domain.

X-Content-Type-Options

For each file on your website, the server specifies a content type, so that the visitor’s browser knows how to interpret it. Malicious parties sometimes try to interpret files differently in order to extract information. If your file contains a vulnerability, code or user data may be stolen. By implementing the recommended option of the security headers website, you prevent hackers from doing this.

The following headers are optional:

Referrer-Policy

A referrer tells a web server which page a user comes from when he comes to and from your website. For example, if someone looks up your website on Google, and the visitor presses your link in Google, the server registers that the visitor is coming from Google.

The same can happen through your website. If you put a link on your website that refers to google.nl, Google’s server can see that the visitor is coming from your server when they click the link on your website. If you are processing sensitive information, you may want to disable this. You can do this by using of the following rule:

Referrer-Policy: no-referrer

This header ensures that no referrer is taken along during any visit. This is also the strictest setting for the header in question. If your website depends on the information and the referrer is used to analyze the behavior of website visitors, we do not recommend using this header.

Feature-Policy

This optional sucurity header is very comprehensive. It allows you to limit which functions can be executed by certain files. Because the header is very extensive, we do not have specific advice for this. We recommend that you read the documentation for this header carefully before setting up and configuring it.

Installing security headers

Security headers can be applied in two ways. We will discuss the possibilities here.

Implement using WordPress

It is important to verify that your headers are correct before implementing them in a security plugin. If you make a mistake while implementing, your website may become inaccessible. We recommend that you first make a backup via our panel at admin.savvii.com. If something goes wrong, you can restore the backup quickly and easily.

Implement using server rules

To prevent the headers from being overwritten during a WordPress op plugin update, it is best to have the headers added to the server. This ensures that the security header settings are not lost when the WordPress configuration is changed.

We can add the headers for your website. Please contact us via support@savvii.com. In the message you specify the security headers you want to implement, including all settings for the headers. Also indicate for which domain the headers should be set.

Need extra protection for your WordPress website?
Check our Security Plus package!

Leave a reply