I’ve long been meaning to update the settings on my blog to improve my rating on the fantastic https://securityheaders.io website. It was created by Scott Helme and aims to help improve the security of a website by providing a rating based on certain attributes.
First off let me show you the initial report – it is the source of many tears…
Yep an F – not exactly great but now is the time to start amending some of these settings and I will try to cover some of the work in this post. Please be mindful if you intend to use this as a reference that all websites are unique and I my setup and hosting platform may be radically different to your own so this is not intended as a walk through merely a point of reference for myself and insight for others. I’ll cover the various headers in no particular order and I suggest you check out Scott’s website article for further information – https://scotthelme.co.uk/hardening-your-http-response-headers/
I’m looking for the end of my .htaccess file so I can add the following after “# END WordPress” to enable the ‘nosniff’ content type options – Header set X-Content-Type-Options nosniff
# END WordPress Header set X-Content-Type-Options nosniff
Next I will add the following header – Header append X-Frame-Options “SameOrigin”
# END WordPress Header set X-Content-Type-Options nosniff Header append X-Frame-Options "SameOrigin"
Now it’s time to take care of the XSS protection – Header set X-XSS-Protection “1; mode=block”
# END WordPress Header set X-Content-Type-Options nosniff Header append X-Frame-Options "SameOrigin" Header set X-XSS-Protection "1; mode=block"
HTTP Strict Transport Security – HSTS
Now I’m going to setup my HSTS policy – Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
Header set X-Content-Type-Options nosniff Header append X-FRAME-OPTIONS "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content Security Policy
The easiest way I found to configure my CSP was to use the tools on https://report-uri.io which is another site created by Scott – I’m actually going to spend more time tinkering with my policy so I won’t drop the code here as it will likely change quite a bit over the next few weeks.
Time to check the results again!
You may notice that I have not configured the public key pinning option – this is something I am going to action soon and will update this post on completion, hopefully having finished my CSP policy as well.