How to Implement a WordPress Security Headers Plugin to Protect You WordPress Instalation - Wordpress Secure Headers Helper package blog

Recommend this page to a friend!
  All package blogs All package blogs   Wordpress Secure Headers Helper Wordpress Secure Headers Helper   Blog Wordpress Secure Headers Helper package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Implement a Wo...  
  Post a comment Post a comment   See comments See comments (1)   Trackbacks (0)  

Author:

Updated on: 2021-04-08

Posted on: 2021-04-01

Package: Wordpress Secure Headers Helper

The current Web standards define several means to help preventing security vulnerabilities that cause harm to Web site users.

Some of those means include using specific HTTP headers as part of the response of Web servers to browsers that access the Web sites.

Read this article to learn how you can improve the security of Web sites that use WordPress by creating your own plugins that send those HTTP headers meant to protect your Web site users against security exploits.




In this article you will learn about:

Introduction to Security Related HTTP Headers

What Are the Secure HTTP Headers You Should Use in Your WordPress

How to Send the Important HTTP Headers with WordPress Pages

How to Use a PHP Class to Organize Better the Secure HTTP Header Sending in WordPress

How to Download the Wordpress Secure Headers Helper or Install it with PHP Composer


Introduction to Security Related HTTP Headers

Many users and developers that make part of the WordPress community finally realized that having a SSL certificate gives us more than just a "lock" icon in the browser. Configuring Web server security can be more useful than just setting SSL certificates.

You may have heard about security related headers, things like X-Frame-Options or Expect-CT. But what are those headers? And what is the best way of configuring them?

To be brief, all of those headers allow us to establish rules for HTTP requests in way that it is possible to avoid specific types of attacks.

The X-Frame-Options header, for instance, provide clickjacking protection, while Strict-Transport-Security protects against main-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

What Are the Secure HTTP Headers You Should Use in Your WordPress

If your web site or application uses a SSL certificate, you should be using and configuring security headers that might be preventing your app from several types of attacks.

But before diving into the coding, let's recap what are those headers, and the reason for using each one of them. Here follows some information from the site: https://securityheaders.com/ .

X-Frame-OptionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-Content-Type-OptionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff.
X-XSS-ProtectionX-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. The recommended value was X-XSS-Protection: 1; mode=block but you should now look at Content Security Policy instead.
Referrer-PolicyReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Strict-Transport-SecurityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Expect-CTExpect-CT allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their CT policy.
Content-Security-PolicyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail. You can sign up for a free account on Report URI to collect reports about problems on your site.

As we are mostly talking about WordPress here, some of those HTTP headers can be configured with obvious values. In other words, for some of those headers, values will be basically the same for almost any WordPress Web site or application.

So, if we are thinking about building a script for implementing them, part of the headers can be assumed as constant. With that in mind, let's move to the next step:  a class or library to set the basic headers automatically (for those usually constant) and configure the remaining.

How to Send the Important HTTP Headers with WordPress Pages 

The developers that want to extend WordPress capabilities can use two different types hooks for including or managing HTTP headers: the action send_headers and the filter wp_headers.

In theory, HTTP headers could be added and managed using any of these types hooks. However, we tend to use more on the action, rather than the filter.

The difference in the code that we need to use with each type of hook is simple. If you opt for the filter, that means you will need to use a function that passes one argument, the $headers array, add or modify the elements in that array and returns a new array as a result. You should also check if the current request is sent via HTTPS.

if (! empty($_SERVER['HTTPS'])) {
  function add_secure_header($headers) {
    $headers['strict-transport-security'] = 'max-age=31536000; includeSubDomains';
    return $headers;
  }

add_filter('wp_headers', 'add_secure_header');
}
PHP

The same effect can be achieved by using a WordPress action. However, it is not necessary for passing any arguments to the callback function. That function does not have a return value. In this case, the code would look like this:

if (! empty($_SERVER['HTTPS'])) {
  function add_secure_headers() {
    header( 'Strict-Transport-Security: max-age=10886400' );
  }
  add_action( 'send_headers', 'add_secure_headers' );
}
PHP

Easy, huh? Add all those headers and the respective values, hook your function using either the action or the filter and you are done. But could it be more automatic and, at the same time, use a better PHP code style?

How to Use a PHP Class to Organize Better the Secure HTTP Header Sending in WordPress

The idea is simple. We can use a class to add all obvious secure headers automatically, as well modify their values or add new headers.

I have implemented this approach like this. For the first part of our class, we add a variable that holds all headers and values and already brings some of them by default.

The class adds a hook to the WordPress send_headers action. The class has functions to set headers in addition to those already listed. It can also return a list of all headers using the variable $toApply.

class Headers {

    public $toApply = [
    	'X-Frame-Options' => 'SAMEORIGIN',
    	'X-Content-Type-Options' => 'nosniff',
    	'X-XSS-Protection' => '1; mode=block',
    	'Referrer-Policy' => 'no-referrer-when-downgrade',
    	'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
    ];
    //...

    public function set(string $header, string $value) {
    	$this->toApply[$header] = $value;
    }

    public function list() {
    	return $this->toApply;
    }
}
PHP

This logic allows you to create a simple solution for adding HTTP headers to any Web site. The only thing you need is to copy this class or requiring it using Composer.

This class is to be updated in the future to allow a better configuration of the secure headers individually. Some improvements regarding cookies should be also implemented eventually.

Check the Github repo it worth looking at this approach, as those several lines and details can be set up in WordPress with no more than the code below.

use WPH\Security\Headers;

require __DIR__ . '/vendor/autoload.php';

$sec_headers = new Headers();
$sec_headers->set('Content-Security-Policy', 'connect-src "self"');

How to Download the Wordpress Secure Headers Helper or Install it with PHP Composer

This class can be download in compressed archive by going to the download page. It can also be installed using the PHP Composer tool by following the instructions in the installation page.




You need to be a registered user or login to post a comment

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

1. Csp - Carlos Artur Curvelo da Matos (2021-04-08 01:20)
New versions... - 0 replies
Read the whole comment and replies



  Post a comment Post a comment   See comments See comments (1)   Trackbacks (0)  
  All package blogs All package blogs   Wordpress Secure Headers Helper Wordpress Secure Headers Helper   Blog Wordpress Secure Headers Helper package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Implement a Wo...  

For more information send a message to info at phpclasses dot org.