GD Security Headers

Description

Configure various security-related HTTP headers, including Content Security Policy, Feature Policy, Referrer Policy and more. For CSP and XSS plugin supports report logging with 2 additional database tables to store reports from browsers.

The plugin has support for following HTTP headers:

  • Content Security Policy (CSP) – with reporting
  • XSS Protection (XXP) – with reporting
  • Feature Policy
  • Content Type – No Sniff Policy
  • Strict Transport Security
  • Referrer Policy
  • Frame Options

For CSP, the plugin allows you to set rules for all currently supported directives, additional settings including setting the policy in Report or Live mode. The plugin also includes special extensions that can automatically fill CSP rules for popular Google services you might be using on your website (Fonts, Maps, Adsense, Analytics and more) and other populare services (Gravatar, Vimeo and more).

And, for Feature Policy, the plugin allows you to set rules for all currently supported features.

The plugin can add all the generated headers into HTACCESS file (for Apache web servers), and they will be applied to all files, not just WordPress generated content. If your website is not using Apache (or .HTACCESS), all rules are generated with each page request and will work with any server type.

And, if you don’t use Apache web server, plugin has a panel where it displays generated headers for most popular servers: Apache, Nginx and IIS, and you can copy generated headers to add to server configuration files.

Screenshots

  • Plugin Dashboard
  • CSP Reports
  • Various Headers settings
  • XSS Protection settings
  • Content Security Policy settings
  • Global settings
  • Generated security headers
  • Tools
  • HTACCESS with security headers

Installation

General Requirements

  • PHP: 5.6 or newer

PHP Notice

  • Plugin doesn’t work with PHP 5.5 or older versions.

WordPress Requirements

  • WordPress: 4.9 or newer

WordPress Notice

  • Plugin doesn’t work with WordPress 4.6 or older versions.

Basic Installation

  • Plugin folder in the WordPress plugins folder must be gd-security-headers.
  • Upload gd-security-headers folder to the /wp-content/plugins/ directory.
  • Activate the plugin through the ‘Plugins’ menu in WordPress.

FAQ

Does plugin works with WordPress MultiSite installations?

Yes. In Multisite installation, the plugin is available for configuration on the Network level, and headers are configured for all sites in the network at once.

Where can I configure the plugin?

The plugin has own top-level item in the WordPress admin side menu: GD Security Headers. This will open a panel with global plugin settings. In Multisite installation, plugin panel is in the Network administration.

Can I translate the plugin to my language?

Yes. The POT file is provided as a base for translation. Translation files should go into Languages directory.

Reviews

October 21, 2019
For someone who is not a developer, GD Security Headers (GPSH) plugin is truly a gift to WP users. It turns "Rocket Science" into just "Science 101"; still needs a bit of knowledge of what you're doing but this makes it so much easier to tweak security headers. Particularly, that option to only generate reports first for "Content-Security-Policy" before going live is how great plugins should be designed. Also love the fact that if enabled, the GPSH can write directly to the .htaccess file, and if a user prefers otherwise, they can also choose to disable that option to manually add by way of the 'Generated Headers' button. Now, I do have some feedbacks though but please bear in mind again I'm no developer. As such, the things I write might make some of the senior WP users chuckle but I'm just sharing what I think I understand. 1. GPSH writes to the .htaccess file that resides in the same folder where all WP files are kept, meaning if the WP installation is kept inside another folder i.e. /public_html/WP/, the /public_html/WP/.htaccess file will be written to instead of /public_html/.htaccess. Don't know if it changes anything but just thought I should share that some folks do move their WP installation to another folder. 2. Even though 'Add: X-XSS-Protection' has been enabled, a check on Mozilla Observatory came back with the error: "X-XSS-Protection header cannot be recognized". However, just want to add that it did come out ok when checked on Security Headers. 3. According to Security Headers, there also seems to be a new header called "Feature-Policy". Is this something that's already in GPSH? I can't find it. Also, First! 🙂
Read all 0 reviews

Contributors & Developers

“GD Security Headers” is open source software. The following people have contributed to this plugin.

Contributors

Translate “GD Security Headers” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.4 (2020.10.05)

  • New: csp addon: generate predefined rules for one or more CDN’s
  • New: csp addon: predefined rules list for WordPress.org
  • New: csp addon: support for ‘prefetch-src’ directive
  • New: feature policy addon: support for updated ‘permission-policy’ version
  • New: feature policy addon: expanded list of policies that can be included
  • Edit: csp addon: improved settings organization showing CSP rule levels
  • Edit: feature policy addon: included support information for some policies
  • Edit: d4pLib 2.8.13
  • Fix: csp addon: problem with generating the rules with ‘all’ basic value
  • Fix: feature policy addon: few minor issues with building rules

1.3 (2020.05.08)

  • Edit: csp addon: expanded some of the google based preset rules
  • Edit: d4pLib 2.8.8
  • Fix: x-frame policy: invalid headers generated when not using .htaccess
  • Fix: strict-transport-security policy: invalid headers generated when not using .htaccess
  • Fix: referer policy: invalid headers generated when not using .htaccess
  • Fix: feature policy: problem printing empty policy header

1.2 (2019.12.05)

  • New: support for feature policy header
  • New: csp addon: predefined rules list for Google YouTube
  • New: csp addon: predefined rules list for Google Tag Manager
  • New: csp addon: predefined rules list for Gravatar
  • New: csp addon: predefined rules list for Gleam
  • New: csp addon: predefined rules list for Vimeo
  • New: csp addon: auto generated rules for some special data sources
  • Edit: csp addon: expanded some of the google based preset rules
  • Edit: csp addon: various improvements in the generator
  • Edit: d4pLib 2.8.2

1.1.1 (2019.08.15)

  • Edit: d4pLib 2.7.6
  • Fix: problem with saving the plugin settings in some cases

1.1 (2019.05.11)

  • New: panel with generated headers for various servers
  • New: headers panel: for apache servers
  • New: headers panel: for nginx servers
  • New: headers panel: for iis servers
  • New: new method for building the HTACCESS headers
  • Edit: improved additional headers object
  • Edit: updated rules for google analytics
  • Edit: do not run when WordPress runs CRON
  • Edit: removed some unused code and strings

1.0 (2019.03.21)

  • First plugin version