Created
December 18, 2017 05:47
-
-
Save Temmyhlee/981242cff53a1d300ec6bd850f85e743 to your computer and use it in GitHub Desktop.
Security for WordPress, headers, Strict-Transport-Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This file is just for WordPress security and thats about it | |
| * Copy in functions.php | |
| * Uses send_headers as opposed to wp_header so as to ensure it works even when the webiste is cached | |
| */ | |
| add_action('send_headers', function(){ | |
| // Enforce the use of HTTPS | |
| header("Strict-Transport-Security: max-age=31536000; includeSubDomains"); | |
| // Prevent Clickjacking | |
| header("X-Frame-Options: SAMEORIGIN"); | |
| // Prevent XSS Attack | |
| header("Content-Security-Policy: default-src 'self';"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+ | |
| header("X-Content-Security-Policy: default-src 'self';"); // IE 10+ | |
| // Block Access If XSS Attack Is Suspected | |
| header("X-XSS-Protection: 1; mode=block"); | |
| // Prevent MIME-Type Sniffing | |
| header("X-Content-Type-Options: nosniff"); | |
| // Referrer Policy | |
| header("Referrer-Policy: no-referrer-when-downgrade"); | |
| }, 1); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment