SSL

Security headers in Really Simple SSL pro

SSL is an additional layer of security on your site. In the current version of Really Simple SSL pro we already have added HSTS, and HSTS preload, which prevents your website users to load a fake version of your website, created by a hacker. But there are more ways to break into a site. To make this as hard as possible, a lot of new headers have been added recently.

The security headers below now have been added to Really Simple SSL pro:

X-Content-Type-Options

Required knowledge level: none. Recommended.

This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe). Otherwise the browser might be tricked into executing a script, while the user thinks he’s downloading an innocent file.

X-XSS-Protection

Required knowledge level: none. Recommended.

Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected. While it should generally not be necessary when a strong Content Security Policy is in place, this will in a lot of cases not be possible on WordPress sites, as we can not be absolutely certain that inline scripts are not used in a theme. Which makes it a good thing to use this header.

X-Frame-Options

Required knowledge level: medium. Recommended.

The X Frame options prevent loading of the site in an iframe. The header can declare if it is allowed to load the current site in an iframe. This prevents clickjacking, by preventing the site to get secretly embedded in another site using an iframe. When using this header, you should be aware that this will block your site from showing your site in an iframe on other sites.

Expect-CT, Certificate Transparency

Required knowledge level: none. Recommended.

A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework. With this log fraudulent Certificate Authorities can be discovered faster, and incorrectly issued certificates can be detected quickly.

No Referrer When Downgrade header

Required knowledge level: none. Recommended.

Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP). This way a redirect will never redirect to a less secure protocol (http).

Content Security Policy

Required knowledge level: advanced. Read the instructions carefully first.

With CSP you can define from which domains your website may load resources, like images, stylesheets, javascript files etc. This is one of the more advanced headers: because of the modular nature of WordPress, each plugin and theme can add their own resources, like Google Fonts. Also social services, like Facebook, Google Maps, etc, will load external resources. These will all need to be added to the “safe” list. To make this easy, Really Simple SSL has added a reporting mode, which will automatically log the requests that would be blocked. When you have run this a few days, you can check the detected list. If you see the resources is known and safe, you can add it to the list of safe resources. When you have done this with all reported items, you can enable the live mode.

Public-Key-Pins

We do not recommend this header, and it’s not implemented in Really Simple SSL pro.

This is a security header which prevents a fraudulent SSL certificate to get loaded. We won’t be adding this one, as it’s a pretty advanced one, with many risks and possible issues, and which is also deprecated by Google, essentially killing this header in my opinion.

The internet will be relying on Expect CT instead  of PKP.

Related Articles