“There is no such thing as perfect security, only varying levels of insecurity.” – Salman Rushdie
A multi-part series by John Ball, Phillip Kuzma, and Ted Nass on web server security.
Security headers are part of HTTP header responses from servers to browsers that request website content. Wikipedia defines HTTP headers as:
“HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.”
Security headers (HTTPS Headers, HTTP Secure Headers) give specific instructions to browsers on how to load content from websites and are an easy-to-implement solution for mitigating known vulnerabilities in HTTP requests. Plus, if implemented correctly, you’ll get good marks on your security reports. 😉
https://SecurityHeaders.io is a great website/tool for scanning your server to determine what security headers are available or presented when a browser requests a connection to your web server and the status of each header option.
For example, the SecurityHeaders.io site ranks https://www.johndball.com with an “A+” as of this posting.More details can be seen here: https://securityheaders.io/?q=https%3A%2F%2Fwww.johndball.com%2F
For this particular site, some of the headers I set on the server back-end and using the Cloudflare front end. Others I set directly in WordPress using the “WP Content Security Policy Plugin“. In an ideal environment, these settings would be set server-side in the native server application and on the Cloudflare front end but a balance between ease of implementation and management was found (for me) using these options. A breakdown of the settings for this particular site (with clickable links for more info) are:
- HSTS – Set Server Side – Set Front End Side
- X-Frame-Options – Set Server Side
- Content Security Policy – Set Server Side w/Plugin
- X-Content-Type-Options – Set Server Side
- X-XSS-Protection – Set Server Side w/Plugin
- Referrer-Policy – Set Server Side w/Plugin
- Expect-CT – Server Side w/Plugin – Set Front End Side
As you can see, I tried to at least enable every option server-side using Apache options, then layered on Cloudflare protection, and as a stop-gap used a plugin to fill in the gaps. For the WP Content Security Plugin settings, we used:
CSP control tab – “CSP Mode” – “Enforce policies”
Content Security Policies tab – “Mixed Content” – “Upgrade Insecure Requests”
Headers tab – “Expect-CT” – Mode – “Enforce Expect CT” – Maximum Age – “Our Hour”
Headers tab -“X-XSS-Protection” – Mode – “1: mode=block”
Headers tab – “Referrer-Policy” – Mode – “strict-origin”
Validate your results using the Security Headers website.
I hope you take some time to check your web server security headers and improve your internet presence.
Resources used in this post:
- Certificate Transparency Checker
- WP Content Security Policy Plugin