Security Headers Documentation
Comprehensive guide to security headers and their recommended configurations
Content Security Policy (CSP)
Purpose: Prevents cross-site scripting (XSS) attacks by controlling which resources can be loaded and executed.
How it works: Defines a whitelist of trusted sources for scripts, styles, images, and other resources.
Security Impact: High - Critical for preventing XSS attacks and data injection.
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' https:;
connect-src 'self' https:;
frame-ancestors 'none';
X-Frame-Options
Purpose: Prevents clickjacking attacks by controlling whether your site can be embedded in iframes.
How it works: Tells browsers whether to allow your page to be displayed in a frame, iframe, embed, or object.
Security Impact: High - Protects against clickjacking and UI redressing attacks.
DENY
or
SAMEORIGIN
or
ALLOW-FROM https://trusted-site.com
X-Content-Type-Options
Purpose: Prevents MIME type sniffing attacks by forcing browsers to respect the declared content type.
How it works: Stops browsers from trying to guess the MIME type of a file, which can lead to security vulnerabilities.
Security Impact: Medium - Prevents MIME confusion attacks and content sniffing.
nosniff
X-XSS-Protection
Purpose: Enables browser's built-in XSS protection (though CSP is more effective).
How it works: Tells the browser to block the page if it detects a reflected XSS attack.
Security Impact: Medium - Provides additional layer of XSS protection for older browsers.
Note: Modern browsers are deprecating this in favor of CSP, but it's still useful for older browsers.
1; mode=block
Referrer-Policy
Purpose: Controls how much referrer information is included with requests.
How it works: Determines what information is sent in the Referer header when users navigate from your site.
Security Impact: Medium - Protects user privacy and prevents information leakage.
strict-origin-when-cross-origin
or
no-referrer-when-downgrade
or
strict-origin
Strict-Transport-Security (HSTS)
Purpose: Forces browsers to use HTTPS instead of HTTP for future requests.
How it works: Tells browsers to only connect to your site using HTTPS for a specified period.
Security Impact: High - Prevents man-in-the-middle attacks and protocol downgrade attacks.
Warning: Once enabled, it cannot be easily disabled. Test thoroughly before deployment.
max-age=31536000; includeSubDomains; preload
Permissions-Policy
Purpose: Controls which browser features and APIs can be used on your site.
How it works: Restricts access to sensitive browser features like geolocation, camera, microphone, etc.
Security Impact: High - Prevents unauthorized access to device features and improves privacy.
geolocation=(),
microphone=(),
camera=(),
payment=(),
usb=(),
magnetometer=(),
gyroscope=(),
accelerometer=()
Feature-Policy (Deprecated)
Purpose: Legacy header for controlling browser features (replaced by Permissions-Policy).
How it works: Similar to Permissions-Policy but with older syntax.
Security Impact: Medium - Still functional but being phased out.
Note: This header is deprecated. Use Permissions-Policy instead.
geolocation 'none';
microphone 'none';
camera 'none'
Additional Security Headers
Cache-Control
Purpose: Controls caching behavior to prevent sensitive data from being cached.
Recommended: no-store, no-cache, must-revalidate, max-age=0
Pragma
Purpose: Legacy HTTP/1.0 cache control header.
Recommended: no-cache
Expires
Purpose: Sets expiration date for cached content.
Recommended: 0 (for sensitive pages)
Clear-Site-Data
Purpose: Clears browser data when user logs out.
Recommended: "cache", "cookies", "storage"
Implementation Guide
For Apache (.htaccess):
# Security Headers
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none';"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"
Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
Header always set Pragma "no-cache"For Nginx:
# Security Headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none';" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always;
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
add_header Pragma "no-cache" always;For PHP:
<?php
// Security Headers
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none';");
header("X-Frame-Options: DENY");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()");
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Pragma: no-cache");
?>Testing Your Security Headers
Use these tools to test your security headers implementation:
- Security Headers: https://securityheaders.com
- Mozilla Observatory: https://observatory.mozilla.org
- SSL Labs: https://www.ssllabs.com/ssltest/
- Our Analyzer: Use this tool to check your own website's security headers!
Network Information
Purpose: Provides details about the server's network location, hosting provider, and geographical information.
What it shows: IP address, country, city, ISP, organization, and hosting details.
Security Impact: Helps identify where your website is hosted and assess potential security implications based on location and provider.
- IP Address: Unique server identifier
- ASN: Network operator identifier
- Country/City: Geographical location
- ISP: Internet service provider
- Organization: IP address owner
Domain Information
Purpose: Shows domain registration details including registrar, creation date, expiration date, and domain status.
What it shows: Registrar information, domain age, expiration dates, status, and name servers.
Security Impact: Helps assess domain legitimacy and potential security concerns based on registration details.
- Registrar: Domain management company
- Created: Domain registration date
- Expires: Domain expiration date
- Status: Current domain status
- Name Servers: DNS configuration
DNS Records
Purpose: DNS records control how your domain name resolves to IP addresses.
What it shows: A records (IPv4), CNAME records (aliases), MX records (email), and other DNS configurations.
Security Impact: Proper DNS configuration is essential for website availability and security. Misconfigured DNS can lead to downtime or security vulnerabilities.
- A Records: IPv4 address mapping
- CNAME: Domain aliases
- MX Records: Email server routing
- TXT Records: Text information
SSL/TLS Security
Purpose: Shows SSL certificate details, encryption protocols, and security validation.
What it shows: Certificate type, issuer, validity dates, encryption protocols, and expiration warnings.
Security Impact: SSL certificates encrypt data between browser and server, protecting sensitive information from interception.
- TLS Version: Encryption protocol
- Certificate Type: DV, OV, or EV
- Issuer: Certificate authority
- Valid Dates: Certificate lifespan
- Expiration: Renewal requirements
WordPress Security Analysis
Purpose: Performs WordPress-specific security tests to identify common vulnerabilities and misconfigurations.
What it tests: XMLRPC vulnerabilities, login page protection, user enumeration, and WordPress-specific security issues.
Security Impact: These tests check for issues unique to WordPress installations and help protect against targeted attacks.
- XMLRPC Test: Endpoint vulnerabilities
- WP-Login Test: Login protection
- User Enumeration: Exposed user info
- CAPTCHA Detection: Anti-bot protection
XMLRPC.php Security Test
What is XMLRPC.php?
XMLRPC.php is a WordPress file that provides an XML-RPC interface for remote access to your WordPress site. It allows external applications to interact with your WordPress installation programmatically.
Security Risks
- Brute Force Attacks: Attackers can use XMLRPC to attempt thousands of login attempts in a single request
- DDoS Amplification: XMLRPC can be used to amplify DDoS attacks against other websites
- Information Disclosure: Can reveal system information and user details
- Remote Code Execution: Vulnerable versions can allow code execution
Best Practices
- Disable XMLRPC: If you don't need remote access, disable it completely
- Use Security Plugins: Install plugins like Wordfence or Sucuri to monitor and block suspicious XMLRPC requests
- Rate Limiting: Implement rate limiting for XMLRPC endpoints
- IP Whitelisting: Restrict XMLRPC access to trusted IP addresses only
- Keep WordPress Updated: Always use the latest WordPress version to patch vulnerabilities
Add to .htaccess:
# Block XMLRPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Or use a plugin:
- • Disable XML-RPC
- • XMLRPC Security
- • WP Security
WP-Login.php Security Test
What is wp-login.php?
wp-login.php is the default WordPress login page that handles user authentication. It's the primary entry point for accessing the WordPress admin dashboard.
Security Risks
- Brute Force Attacks: Attackers can attempt thousands of password combinations
- Username Enumeration: Attackers can discover valid usernames
- Credential Stuffing: Using leaked passwords from other sites
- Bot Attacks: Automated bots can overwhelm your login page
- Account Lockout: Can lock legitimate users out of their accounts
Best Practices
- Implement CAPTCHA: Use reCAPTCHA or similar to prevent bot attacks
- Two-Factor Authentication (2FA): Require a second form of verification
- Strong Password Policy: Enforce complex passwords
- Login Attempt Limits: Limit failed login attempts
- IP Whitelisting: Restrict access to specific IP addresses
- Custom Login URL: Change the default login URL
- HTTPS Only: Force SSL for login pages
2FA Options:
- • Google Authenticator
- • SMS Verification
- • Email Verification
- • Hardware Keys
CAPTCHA Types:
- • Google reCAPTCHA
- • hCaptcha
- • Simple Math
- • Image Verification
User Enumeration Test
What is WordPress REST API?
WordPress REST API is a built-in feature that allows external applications to interact with your WordPress site. It provides endpoints for accessing posts, pages, users, and other content programmatically.
Security Risks
- Username Discovery: Attackers can easily discover valid usernames
- Brute Force Preparation: Known usernames make password attacks more effective
- Information Disclosure: Can reveal user details and site structure
- Targeted Attacks: Attackers can focus on specific users
- Social Engineering: Usernames can be used for phishing attacks
Best Practices
- Disable User Endpoints: Remove or restrict access to user-related REST API endpoints
- Use Security Plugins: Install plugins that protect against user enumeration
- Custom User Slugs: Use custom author URLs instead of usernames
- Rate Limiting: Implement rate limiting for API requests
- Authentication Required: Require authentication for sensitive endpoints
- Hide Author Information: Remove author information from posts and pages
- Use Pseudonyms: Use display names instead of usernames
Code Solutions:
// Disable user endpoints
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
});Plugin Options:
- • Disable REST API
- • WP Security
- • All In One WP Security
Blocklisting Status
Purpose: Checks if the domain appears on security blocklists and reputation databases.
What it checks: Google Safe Browsing, VirusTotal, and other security databases for malicious activity.
Security Impact: Being blocklisted can indicate malicious activity, spam, or security issues that affect website accessibility and trust.
- Google Safe Browsing: Malware/phishing detection
- VirusTotal: Multi-engine scanning
- AbuseIPDB: IP reputation
- Other Services: Additional databases
HTTP Headers
Purpose: Shows HTTP response headers and status codes from the server.
What it shows: Response status, server information, and security protections like WAF and CDN services.
Security Impact: Headers provide information about the server, response status, and can reveal security protections like WAF (Web Application Firewall) and CDN services.
- Status Code: HTTP response status
- Server: Server type/version
- WAF Detection: Security protection
- CDN Detection: Content delivery