Sensible HTTP Security Headers Plugin for Woocommerce and WordPress
Looking for an easy and hassle-free way to add essential security headers to your WordPress website without sacrificing performance? Look no further than our “Sensible HTTP Security Headers” plugin! Only $99.00/year. Cancel any time!
$99.00 / year
Our plugin is designed to work out-of-the-box, requiring no configuration or technical expertise. It is extremely lightweight, and it will not hinder the performance of your website in any way. Simply install and activate the plugin, and your website will be protected by a range of security headers, including X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, and Strict-Transport-Security. These headers can help prevent a wide range of security vulnerabilities, including cross-site scripting (XSS) attacks and man-in-the-middle attacks.
With our plugin, you can easily improve the security posture of your website by automatically adding HTTP security headers to your website, without any technical knowledge or expertise, and without sacrificing the performance of your website:
- Protect your website from Clickjacking attacks
- Prevent Cross-Site Scripting (XSS) and other code injection attacks
- Prevent MIME-Sniffing attacks
- Enforce secure connections (HTTPS) on your website
- Control the permissions a website can request for various features
- Define a whitelist of allowed sources for different types of content
Don't leave your website vulnerable to attacks - install our HTTP Security Headers plugin today and give yourself peace of mind knowing that your website is protected by industry-standard security measures, out-of-the-box, no configuration needed, and without sacrificing performance.
Our plugin works out of the box and sets the following directives:
- X-Frame-Options: sameorigin
- X-XSS-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- Referrer-Policy: no-referrer-when-downgrade
- Permissions-Policy: geolocation=(), microphone=(), camera=()
- Content-Security-Policy: upgrade-insecure-requests
- Strict-Transport-Security: max-age=31536000
Here is a detailed description of each directive:
- X-Frame-Options: The X-Frame-Options header is used to prevent clickjacking attacks by controlling whether a page can be rendered within a frame or iframe. The value "sameorigin" tells the browser that the page can only be rendered in a frame if the frame is on the same origin as the page. This helps prevent an attacker from creating a malicious page that uses an iframe to embed your page, and tricking users into interacting with it.
- X-XSS-Protection: The X-XSS-Protection header is used to enable the browser's built-in XSS (cross-site scripting) protection. The value "1; mode=block" tells the browser to enable XSS protection and block the page if an XSS attack is detected. This can help prevent an attacker from injecting malicious scripts into your pages and stealing user data.
- X-Content-Type-Options: The X-Content-Type-Options header is used to prevent MIME-sniffing attacks. The value "nosniff" tells the browser to disable MIME-sniffing and only execute the type of file specified by the server. This can help prevent an attacker from tricking the browser into executing a malicious file by disguising it as a different type of file.
- Referrer-Policy: The Referrer-Policy header controls the information that is sent in the Referer header when a user navigates from one page to another. The value "no-referrer-when-downgrade" tells the browser to send no referrer information when navigating from a secure (https) page to an insecure (http) page. This can help prevent an attacker from learning more about the structure of your site by analyzing the referral headers.
- Permissions-Policy: The Permissions-Policy header controls the permissions a website can request for various features, such as geolocation, microphone, camera, and more. The values geolocation=(), microphone=(), camera=() deny access to the geolocation, microphone and camera by default. This can help prevent an attacker from using features of the website to gain sensitive information.
Content-Security-Policy: The Content-Security-Policy header is used to define a whitelist of allowed sources for different types of content, such as scripts, images, and stylesheets. The value "upgrade-insecure-requests" tells the browser to upgrade all insecure (http) requests to secure (https) requests. This can help protect your website from certain types of man-in-the-middle attacks by ensuring that all network traffic is transmitted over a secure connection.
- Strict-Transport-Security: The Strict-Transport-Security (STS) header is used to enforce secure connections (HTTPS) on a website. The value "max-age=31536000" tells the browser to only connect to the website using HTTPS and remember this preference for one year. This can help prevent an attacker from intercepting network traffic and stealing sensitive information.