Additional Security Headers

,

There are always people that are interested in running things as secure as possible. You should need to place this code into a file within the mu-plugins directory to ensure it gets fired as early as possible when loading the front end of the website. I have been able to get at least an A if not an A+ rating on https://securityheaders.com/ using the following must use plugin.

<?php

/*
Plugin Name: Additional Security Headers
Plugin URI: https://snippets.wpcms.ninja
Description: This adds additional security headers to the front end of the website that can help protect people browsing.
Author: billiardgreg
Author URI: https://wpcms.ninja
License: GPL2
*/

function wpcms_additionalsecurityheaders( $headers ) {
  if ( !is_admin() ) {
    $headers['Referrer-Policy']             = 'no-referrer-when-downgrade'; 
    $headers['X-Content-Type-Options']      = 'nosniff';
    $headers['X-XSS-Protection']            = '1; mode=block;';
    $headers['Permissions-Policy']          = 'geolocation=(self "'.site_url().'"); microphone=(); camera=();';
    $headers['Content-Security-Policy']     = 'upgrade-insecure-requests;';
    $headers['Strict-Transport-Security']   = 'max-age=31536000; includeSubDomains;';
    $headers['X-Frame-Options']             = 'SAMEORIGIN';
  }

  return $headers;
}
add_filter( 'wp_headers', 'wpcms_additionalsecurityheaders' );

 

Skills

Posted on

April 27, 2021

Submit a Comment

Your email address will not be published. Required fields are marked *