Ben Rabicoff

Adding Secure HTTP Response Headers in WordPress

WordPress powers over 27 percent of the entire internet, so it’s no surprise websites using WordPress are a common target for hackers. While the WordPress Security Team does a fantastic job staying on top of vulnerabilities, there are numerous other precautions that can be taken. One example is Secure HTTP response headers.

What Are HTTP Response Headers?

When you access a website, the browser makes a request to a web server. The server then responds with the request along with “response headers”. These headers pass information such as cache-control, content-encoding, content-type, connection, date, etc.

Adding secure HTTP response headers provides an additional layer of security by helping to mitigate attacks and security vulnerabilities. These headers can be added at the server level in Apache, NGINX, and others. The issue is that many times access to the files will be restricted by the hosting company or beyond a persons technical comfort zone.

On this site, I’m adding the secure headers via the WordPress functions.php file as follows: Though I'm still using these headers, I've since moved to Hugo from WordPress.

add_action('send_headers', function(){
    // Enforce the use of HTTPS
	header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
	// Prevent Clickjacking
	header("X-Frame-Options: SAMEORIGIN");
	// Prevent XSS Attack
	header("Content-Security-Policy: default-src 'self';"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+
	header("X-Content-Security-Policy: default-src 'self';"); // IE 10+
	// Block Access If XSS Attack Is Suspected
	header("X-XSS-Protection: 1; mode=block");
	// Prevent MIME-Type Sniffing
	header("X-Content-Type-Options: nosniff");
	// Referrer Policy
	header("Referrer-Policy: no-referrer-when-downgrade");
}, 1);

At a very basic level, here is what each of these responses are doing:

I chose to use send_headers instead of wp_headers to ensure that it was loaded even if added after the page was cached.

If you want to dig in a bit deeper and learn more, SecurityHeaders.io is a great place to start.