SSL

New security headers for Really Simple SSL pro coming up

SSL is an additional layer of security on your site. In the current version of Really Simple SSL pro we already have added HSTS, and HSTS preload, which prevents your website users to load a fake version of your website, created by a hacker. But there are more ways to break into a site. To make this as hard as possible, a lot of new headers have been added recently.

We’re working hard on adding some of these new headers to¬†Really Simple SSL pro. You can expect the following security headers in the next release:

Content Security Policy

With CSP you can define from which domains a website may load resources.

The new update will add a log where the content security policy will log the results. Because of the modular nature of WordPress, the basic setup will have to be one that allows for third party scripts and inline scripts. The third party scripts will get added to the logs, after which you can add them to your policy.

X-Content-Type-Options

This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe)

X-XSS-Protection

Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected. While it should generally not be necessary when a strong Content Security Policy is in place, this will in a lot of cases not be possible on WordPress sites, as we can not be absolutely certain that inline scripts are not used in a theme. Which makes it a good thing to use this header.

X-Frame-Options

The X Frame options prevent loading of the site in an iframe. The header can declare if it is allowed to load the current site in an iframe. This prevents clickjacking, by preventing the site to get secretly embedded in another site using an iframe.

Expect-CT, Certificate Transparency

A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework. With this log fraudulent Certificate Authorities can be discovered faster, and incorrectly issued certificates can be detected quickly.

Public-Key-Pins

This is a security header which prevents a fraudulent SSL certificate to get loaded. We won’t be adding this one, ad it’s a pretty advanced one, with many risks and possible issues, and which is also deprecated by Google, essentially killing this header in my opinion.

The internet will be relying on Expect CT instead  of PKP.

Related Articles

  • Really Simple SSL available in 21 languages!

    I noticed this morning that Really Simple SSL is now available in 21 languages, which is pretty cool! See also the translation page here:https://translate.wordpress.org/projects/wp-plugins/really-simple-ssl Really Simple SSL is now installed...
  • Really Simple SSL passing 800000 active websites!

    Really Simple SSL has passed 800 000 active installs last week, one million is coming closer! One of the reasons Really Simple SSL has been able to grow so fast,...
  • Really Simple SSL Social 3.0

    Recently Really Simple SSL Social 3.0 has been released. The changes that have been made in version 3.0 have to do with the look and feel of the built-in sharing...
  • Really Simple SSL 3.0.5

    Thursday a new update for Really Simple SSL has been released. This version includes a number of minor tweaks: The mixed content fixer will no longer fire when it detects...