Rating: 5 stars

It’s the best plug-in for setting security headers that I found so far. Easy set-up, good explanations.
But what really stands out is the local reporting feature!

Thank you very much!

Rating: 5 stars

Easy to install and relatively easy to configure.
I only want to set CSP rules and it lets me do that easily, having the shortcuts for common rules such as Google Analytics etc is useful.

The report-only features is clear and easy to use when starting to add rules and you need to gather a list of them.

If had had one feature request it would be for the plugin to show an estimated header size.. I sometimes trip header size limits on a server when I need to add a lot of rules. If it coudl detect the server limit and warn if getting close – that’d be nice.

All in all good plugin. Really dont know why some people only gave it 1 star, I can only assume they made mistakes configuring it.

Rating: 5 stars

A+ on headers scan, thank you for your work ??

Rating: 5 stars

Thank you!

Rating: 1 star

There are a lot mistakes in the generated Content-Security-Policy statement. It fails to insert the blob and data directives. It adds a semicolon and double quote at the end of the line that shouldn’t be there.

The only thing this plugin is really good for is the report page.

Rating: 1 star

The Content-Security-Policy directive ‘script-src’ contains ‘script-src’ as a source expression. Did you want to add it as a directive and forget a semicolon?

The Content-Security-Policy directive name ‘widget.gleamjs.io’ contains one or more invalid characters. Only ASCII alphanumeric characters or dashes ‘-‘ are allowed in directive names.

The Content-Security-Policy directive name ‘www.googletagservices.com’ contains one or more invalid characters. Only ASCII alphanumeric characters or dashes ‘-‘ are allowed in directive names.

etc etc etc

Rating: 5 stars

Thank you for creating this plugin, I have been looking for something like that. It comes with so many options that you can configure, so you really can address each need a website has.

Rating: 5 stars

For someone who is not a developer, GD Security Headers (GPSH) plugin is truly a gift to WP users. It turns “Rocket Science” into just “Science 101”; still needs a bit of knowledge of what you’re doing but this makes it so much easier to tweak security headers. Particularly, that option to only generate reports first for “Content-Security-Policy” before going live is how great plugins should be designed. Also love the fact that if enabled, the GPSH can write directly to the .htaccess file, and if a user prefers otherwise, they can also choose to disable that option to manually add by way of the ‘Generated Headers’ button.

Now, I do have some feedbacks though but please bear in mind again I’m no developer. As such, the things I write might make some of the senior WP users chuckle but I’m just sharing what I think I understand.

1. GPSH writes to the .htaccess file that resides in the same folder where all WP files are kept, meaning if the WP installation is kept inside another folder i.e. /public_html/WP/, the /public_html/WP/.htaccess file will be written to instead of /public_html/.htaccess. Don’t know if it changes anything but just thought I should share that some folks do move their WP installation to another folder.

2. Even though ‘Add: X-XSS-Protection’ has been enabled, a check on Mozilla Observatory came back with the error: “X-XSS-Protection header cannot be recognized”. However, just want to add that it did come out ok when checked on Security Headers.

3. According to Security Headers, there also seems to be a new header called “Feature-Policy”. Is this something that’s already in GPSH? I can’t find it.

Also, First! ??

• This topic was modified 5 years, 1 month ago by ranggie4.
• This topic was modified 5 years, 1 month ago by Jan Dembowski. Reason: Deleted all links to other sites
• This topic was modified 5 years, 1 month ago by ranggie4. Reason: Removed links and replaced with text