I’ve updated the WordPress Security headers plugin.
Added support for Referrer-Policy headers.
Some contributions from third parties including one that renamed the plugin “Security Headers” in the plugins list as there were two plug-ins listed as “HTTP Headers”.
There is a request to add Content Security Policies, any ideas on the best approach to making this vaguely useable to normal people, or people with lots of plugins, welcome on that support request.
Please report bugs or place feature requests on the support page.
Hello, Simon. I have previously used your plugin, and found it easy-to-use and stable, but wanted a bit more (sorry!) in exactly the areas – CSP, especially- that you are mulling over now.
With CSP, a non-techie like me would love to press one ‘analyser’ button and get a suggested basic CSP which could be applied straight away. I would also love strict HTTP-to-HTTPS redirects and secure flags on all cookies. HPKP, in my experience, is one thing that it is probably unfair to expect to ‘come out of a box.’ I would definitely pay for a plugin which delivered all or most of those.
I agree a magic CSP button would be nice. However it is quite challenging as a feature to do well, and I would rather not do it, than do it badly.
Also some of the plugins for CSP out there don’t address the admin interface correctly, and this is the place it is most needed, it is also the messiest place to do a CSP.
I have found a few XSS issues in big WordPress plugins (including one from Automattic), so I know what I want to stop, and I haven’t figured out how to do that for WordPress.
Redirects and cookie flags are much more achievable, although by default WordPress does the right thing with session cookies, and using Strict Transport Security will protect the other cookies and do the redirects (although they might still be useful for minority browsers, and crawlers).