WP Security Header (applied to LiteSpeed)

Adrien

Hello,

Nowadays security headers are automated by the webhost, ex: Kinsta. RunCloud does it too and handles HSTS as well from the CP. I don't know if Enhance will include a way to manage security headers from the dashboard.

Test your domain using: https://securityheaders.com/

If you want to implement a security header, there are many ways to do so and at diff layers:

App level: Ex with WP: inserting it in your htaccess file or in your functions php or even creating a plugin
Server level: Ex with LiteSpeed by editing a virtual host or creating a virtual host template and applying it to whatever VH you want. Or if using NginX in nginx.conf
Once Enhance launches Immunify360 maybe there would be a way to do that but not certain because I'm not familiar with immunify360
At the CDN level: Ex with CF using Workers

I have chosen the app. level route through .htaccess. Why? Because if you're not hosting only WP sites it is impossible to have a universal security header for all applications. Ex: CSP (content-security-policy highly depends on how your application works and there's def not one policy fit all). I'm also using LSE which handles .htaccess.

Why not at the CDN level using CloudFlare for instance? I tried but realized that:

it just applies when traffic is routed through Cloudflare, if unproxied or you once want to switch CDN you lose your security headers.
if someone calls your page and resolved your domain directly to your origin IP all the security features do not apply.
you are depending on Cloudflare
you don’t use any free Cloudflare rules for things that are solvable differently/better

I'm still learning LSE web server so I can't bring anything yet on that topic but if you know something useful that could help, please share :-)

Applied to WordPress here's a good security header (+ other security measures included) I've found compatible with WP 6.3 and FSE. It won't break your WP site or the backend. It contains a loose CSP just for the sake of passing the test (https://securityheaders.com/). Paste this at the top of your WP .htaccess file and you should be good to go.

### BEGIN WP 6.3 Security - AUGUST 2023 - LSE

## Automatic 301 redirect to https

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

## Additional security headers

<ifModule mod_headers.c>

# X Frame Options
Header always set X-Frame-Options "SAMEORIGIN"

# X XSS-Protection (deprecated)
Header set X-XSS-Protection "0"

#  X Content-Type-Options
Header set X-Content-Type-Options "nosniff"

# X Permitted Cross Domain Policies
Header set X-Permitted-Cross-Domain-Policies "none"

# X-Powered-By and Server
Header unset X-Powered-By
Header unset Server

# Enable Strict Transport Security
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS 

# Referrer Policy 
Header set Referrer-Policy "strict-origin-when-cross-origin"

## Advanced policies - basic implementation

# Feature Policy (rudimentary policies supported by most browsers)
Header set Feature-Policy "microphone 'none'; camera 'none'"

# Permissions Policy (rudimentary policies supported by chrome and FF)
Header set Permissions-Policy "autoplay=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), midi=(self), payment=(self)"

# Content Security Policy (CSP - quite lax WP 6.3 compatible policies)
Header set Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https:; style-src 'self' https: 'unsafe-inline'; font-src 'self' data: https:; img-src 'self' blob: data: https:; frame-src 'self' https: blob:;"

</IfModule>

## ForceSecureCookie (LiteSpeed Set Cookie HTTPOnly Secure alternative)
<IfModule LiteSpeed>
	ForceSecureCookie same_site_strict
</IfModule>

### END Improved Site Security August 2023

PS: I am in no way a security expert, a devOps or a technical expert. All I share here is what I found on the Web and that I am using on my own WP site. Therefore, if you have more experience on that topic I'd be happy to read and learn from you.

ss88us

Here is mine which get's me an A+, mine is on Apache:

<IfModule mod_headers.c>
    Header set X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set Content-Security-Policy "upgrade-insecure-requests"
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Permissions-Policy "accelerometer=(), autoplay=(self), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=()"
    Header always unset X-Powered-By
    Header unset X-Powered-By
</IfModule>

Andreas

ss88us Mine looks identical to this. I just removed the preload"
I noticed if SSL expires, you can not access the website anymore until the SSL is renewed.

Vasco

ss88us
I'm trying to set mine in LS and needing some guidance. I'm reading the one you set and having some questions.

Header always unset X-Powered-By
 Header unset X-Powered-By

Shouldn't be only one?
I see some arguments in Permissions-Policy have () and reading through the web this seems to be a kind of "none". As an example, will camera=() mean no camera is permited in any context?

Thanks

digitalexpanse

@Adrien you really shouldn't even allow direct traffic to the server. We've drop anything not coming from Cloudflare by default, any reason your not?

Adrien

digitalexpanse Oh I actually never thought of doing that. Does that mean no website will work unless the client enables CF integration?

necrom

All good practice, it'd be nice to make HSTS easier.

A few things to be careful of I came across recently relating to www preferences:

http://domain.ext redirecting to https://www.domain.ext/ is not valid, http://domain.ext should either a) upgrade first to httpS://domain.ext and only then redirect to https://www.domain.ext/ or b) redirect first to http://www.domain.ext/ and then upgrade to httpS://www.domain.ext
Sending a HSTS header containing preload on a sub-domain may result in the domain not being added to the preload list.

We identified these through testing with https://hstspreload.org/ and I'm not sure https://securityheaders.com highlights this (I fixed the problems with all the ones I found so wasn't able to test).

Vasco

Thank you Adrien, your post was really helpful. Also running a LSE and applied the code at .htaccess.

Changed this to remove the Feature-Policy (deprecated)

# Permissions Policy (rudimentary policies supported by chrome and FF)
Header set Permissions-Policy "autoplay=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), midi=(self), payment=(self), microphone=(), camera=()"

Deleted this one to remove a duplication warning.

# Enable Strict Transport Security ###
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
```

ss88us

Vasco This is a mistake on my part, either/or will work. always unset will always unset this header.

Regarding the permissions policy, that is correct. If it's set to empty on the page (), then the website will not be allowed to use the camera.

Vasco

ss88us Great! Understanding a little better with your explanation. I'll go for the
Header always unset X-Powered-By since I can't forsee any benefit in making this public.

ronald

How do you do this for your clients/websites when running on NGINX and no support for .htaccess?

Preferably, at least some of these, could be set at the server level. Is this possible somehow?

Earlier before I moved to Enhance I configured this in the vhost configuration in LiteSpeed. I am not using LiteSpeed in my stack right now, and going back doesnt eliminate the task of manually add this to every site..

adham

Hey, I'm trying to add this to my .htaccess but It's not working. Only worked when I added this as a plugin.

How can I make it work thru .htaccess, please?

Thank you

gozen

adham Which server you use?

slimx

I personally do this using my CDNs (bunny and cloudflare). The only part I gave up applying was content-security-policy. It's just so god damn annoying.

Either the Google MAP doesn't work, or the client has some weird plugin they've installed and that fails. Or something breaks in an update etc.

ivansalloum

slimx The Content Security Policy should be implemented after you finish making your website, so you have an idea of what is getting loaded on your site. You can’t have a general CSP that applies to all websites.