WP Security Header (applied to LiteSpeed)

ss88us

Here is mine which get's me an A+, mine is on Apache:

<IfModule mod_headers.c>
    Header set X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set Content-Security-Policy "upgrade-insecure-requests"
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Permissions-Policy "accelerometer=(), autoplay=(self), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=()"
    Header always unset X-Powered-By
    Header unset X-Powered-By
</IfModule>

Andreas

ss88us Mine looks identical to this. I just removed the preload"
I noticed if SSL expires, you can not access the website anymore until the SSL is renewed.

Vasco

ss88us
I'm trying to set mine in LS and needing some guidance. I'm reading the one you set and having some questions.

Header always unset X-Powered-By
 Header unset X-Powered-By

Shouldn't be only one?
I see some arguments in Permissions-Policy have () and reading through the web this seems to be a kind of "none". As an example, will camera=() mean no camera is permited in any context?

Thanks

digitalexpanse

@Adrien you really shouldn't even allow direct traffic to the server. We've drop anything not coming from Cloudflare by default, any reason your not?

Adrien

digitalexpanse Oh I actually never thought of doing that. Does that mean no website will work unless the client enables CF integration?

necrom

All good practice, it'd be nice to make HSTS easier.

A few things to be careful of I came across recently relating to www preferences:

http://domain.ext redirecting to https://www.domain.ext/ is not valid, http://domain.ext should either a) upgrade first to httpS://domain.ext and only then redirect to https://www.domain.ext/ or b) redirect first to http://www.domain.ext/ and then upgrade to httpS://www.domain.ext
Sending a HSTS header containing preload on a sub-domain may result in the domain not being added to the preload list.

We identified these through testing with https://hstspreload.org/ and I'm not sure https://securityheaders.com highlights this (I fixed the problems with all the ones I found so wasn't able to test).

Vasco

Thank you Adrien, your post was really helpful. Also running a LSE and applied the code at .htaccess.

Changed this to remove the Feature-Policy (deprecated)

# Permissions Policy (rudimentary policies supported by chrome and FF)
Header set Permissions-Policy "autoplay=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), midi=(self), payment=(self), microphone=(), camera=()"

Deleted this one to remove a duplication warning.

# Enable Strict Transport Security ###
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
```

ss88us

Vasco This is a mistake on my part, either/or will work. always unset will always unset this header.

Regarding the permissions policy, that is correct. If it's set to empty on the page (), then the website will not be allowed to use the camera.

Vasco

ss88us Great! Understanding a little better with your explanation. I'll go for the
Header always unset X-Powered-By since I can't forsee any benefit in making this public.

ronald

How do you do this for your clients/websites when running on NGINX and no support for .htaccess?

Preferably, at least some of these, could be set at the server level. Is this possible somehow?

Earlier before I moved to Enhance I configured this in the vhost configuration in LiteSpeed. I am not using LiteSpeed in my stack right now, and going back doesnt eliminate the task of manually add this to every site..

adham

Hey, I'm trying to add this to my .htaccess but It's not working. Only worked when I added this as a plugin.

How can I make it work thru .htaccess, please?

Thank you

gozen

adham Which server you use?

slimx

I personally do this using my CDNs (bunny and cloudflare). The only part I gave up applying was content-security-policy. It's just so god damn annoying.

Either the Google MAP doesn't work, or the client has some weird plugin they've installed and that fails. Or something breaks in an update etc.

ivansalloum

slimx The Content Security Policy should be implemented after you finish making your website, so you have an idea of what is getting loaded on your site. You can’t have a general CSP that applies to all websites.