Problems with recommendations for the site

  • Resolved Rodrigo Macedo

    (@unionforwebdesigner)


    7 years, 5 months ago

    Howdy,

    I’m having a problem with the site recommendations that appear when I’m Scanning the Website at – Website Details.

    The following recommendations appear to me:

    
Security Header: X-XSS-Protection Missing
We did not find the recommended security header for XSS Protection on your site. 
https://kb.sucuri.net/warnings/hardening/headers-x-xss-protection

    
Security Header: X-Frame-Options
We did not find the recommended security header for ClickJacking Protection on your site. 
https://kb.sucuri.net/warnings/hardening/headers-x-frame-clickjackin

    
Security Header: X-Content-Type nosniff
We did not find the recommended security header to prevent Content Type sniffing on your site. 
https://kb.sucuri.net/warnings/hardening/headers-x-content-type

    However I have already added the following directives to the .htaccess file for the above recommendations:

    
<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header always append X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options nosniff
</IfModule>

    This started to happen when I changed the PHP version of my domain, before I was using version 5.4 and it did not appear, because as I said above, it had already been solved/repaired by adding the above mentioned directives to the .htaccess file.

    However when applying version 5.5 or later these recommendations appear again, what could be going wrong?

    I am currently using the PHP 7 version.

    Thank you in advance,
    Best regards.

Viewing 3 replies - 1 through 3 (of 3 total)

  • It is possible that your web server is missing the “headers” module, since you wrapped the instructions into a conditional that checks if the module is available, I can only assume that the module is either not installed or is disabled.

    You can also add these HTTP headers directly from your PHP file, for example, at the top of the “index.php” before any other instruction, as you can see in the example below. However, be aware that modifying the core WordPress files is discouraged so if you are going to insert these headers from your PHP project rather than the Apache access control file, I suggest you to do it using a custom plugin.

    <?php

header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: SAMEORIGIN');
header('X-Content-Type-Options: nosniff');                                                

/* rest of the code below */
    Thread Starter Rodrigo Macedo

    (@unionforwebdesigner)

    Much like you said, modifying the WordPress files would not be cool, so I’d like to do this correctly. In this case how should I proceed?

    Should I tell my Server or Hosting Provider?

    Thank you in advance for your attention,
    Kind regards.

    As I mentioned before, you can also create a custom plugin to insert these security headers into your website, you don’t need to contact your hosting provider to do that. Here, I went ahead and created the plugin for you, copy and paste this code into a new file — /wp-content/plugins/security-headers.php activate it from the plugins’ page and you are done.

    <?php

/**
 * Plugin Name: Security Headers
 * Description: The plugin attaches additional security headers to the website.
 * Plugin URI: https://wiki.mozilla.org/Security/Guidelines/Web_Security/
 * Author: Anonymous Inc.
 * Version: 0.0.1
 */

if (!headers_sent()) {
    header('X-XSS-Protection: 1; mode=block');
    header('X-Frame-Options: SAMEORIGIN');
    header('X-Content-Type-Options: nosniff');
}

    You can verify that the headers have been set by sending a HEAD request to your website like this — curl -I "https://website.test/"

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Problems with recommendations for the site’ is closed to new replies.