I’ve updated the WordPress Security headers plugin.
Added support forĀ Referrer-Policy headers.
Some contributions from third parties including one that renamed the plugin “Security Headers” in the plugins list as there were two plug-ins listed as “HTTP Headers”.
There is a request to add Content Security Policies, any ideas on the best approach to making this vaguely useable to normal people, or people with lots of plugins, welcome on that support request.
Please report bugs or place feature requests on the support page.
Hello, Simon. I have previously used your plugin, and found it easy-to-use and stable, but wanted a bit more (sorry!) in exactly the areas – CSP, especially- that you are mulling over now.
With CSP, a non-techie like me would love to press one ‘analyser’ button and get a suggested basic CSP which could be applied straight away. I would also love strict HTTP-to-HTTPS redirects and secure flags on all cookies. HPKP, in my experience, is one thing that it is probably unfair to expect to ‘come out of a box.’ I would definitely pay for a plugin which delivered all or most of those.
Thanks George,
I agree a magic CSP button would be nice. However it is quite challenging as a feature to do well, and I would rather not do it, than do it badly.
The real benefits from CSP come from not having inline scripts and styles, if you allow these (and by default WordPress uses them so they would have to be allowed) then the main win is making it harder to use off the shelf attack tools like BeEF. It is probably possible to write inline javaScript that does bad things to WordPress, such as adding an admin user or editing the PHP, and polices allowing such JavaScript are of limited value.
Also some of the plugins for CSP out there don’t address the admin interface correctly, and this is the place it is most needed, it is also the messiest place to do a CSP.
I have found a few XSS issues in big WordPress plugins (including one from Automattic), so I know what I want to stop, and I haven’t figured out how to do that for WordPress.
One could imagine some sort of big repository of hashes of good JavaScript for WordPress, but it would need to be updated for each release, and each plugin release, and that would be a mammoth undertaking. It may be easier to rewrite WordPress in a more modern fashion.
Redirects and cookie flags are much more achievable, although by default WordPress does the right thing with session cookies, and using Strict Transport Security will protect the other cookies and do the redirects (although they might still be useful for minority browsers, and crawlers).