Opening the Security Headers settings
Click on the website’s “More actions” menu, and then click on “Security Headers”.
Security Headers options
Here you will have several options to fine-tune:
- Referrer Policy: This controls how much referrer information should be included with requests. We recommend the “Send, but if the origin isn’t the same send just the origin (HTTPS only)” option. You can read more about why we recommend it here.
- Content Type Options: This is used to indicate that the MIME types advertised in Content-Type headers should be followed and not be changed. We recommend the option “Prevent content type sniffing“.
- XSS Protection: This is a feature that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. We recommend to leave it as “Browser default“.
- Content Security Policy: This is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. We recommend the option HTTPS + inline + eval option for general WordPress usage (clicking on the link below the field will automatically fill the correct information for you), but we encourage more savvy users to dig into this option following MDN’s tutorial by clicking here. Be careful with this option and always test it throughoutly, as an incorrect setting can render your website unusable.
- Frame Options: This controls whether your website can be embedded, and if it can be embedded by a particular website. We recommend you the SAMEORIGIN option to only allow your own website to embed itself (clicking on the link below the field will automatically fill the correct information for you). If you want more control, read more about the Frame Options header here.
- Permissions Policy: This allows you to control which functionality can and cannot be used on a web site. By default, everything is permitted. We usually just Disable FLoC tracking, which is why it is the only suggestion (clicking on the link below the field will automatically fill the correct information for you). If you know what functionalities of your website are going to be used and which ones you don’t want to ever permit, you can read more about this header here. Be careful with this option and always test it throughoutly, as an incorrect setting can render your website unusable.
- HSTS: This allows you to specify if you want your website to always load the secure HTTPS version of it. If you are using HTTPS already, we recommend you to enable it with the suggested HSTS Preload list complaint link (clicking on the link below the field will automatically fill the correct information for you). After that, you can go here to propose your website to be included in the HSTS Preload list of major browsers, to ensure they load the HTTPS version of your website by default. Do not use this header if you want your website to be accessible through HTTP, or if it’s only accessible through HTTP, since browsers will refuse to open the page.