{ "slug": "headers", "properties": { "slug": "headers", "name": "HTTP Headers", "sidebar_name": "HTTP Headers", "show_module_menu_item": false, "show_module_options": true, "storage_key": "headers", "tagline": "Control HTTP Security Headers", "show_central": true, "access_restricted": true, "premium": false, "run_if_whitelisted": false, "run_if_verified_bot": true, "run_if_wpcli": false, "order": 80 }, "sections": [ { "primary": true, "slug": "section_security_headers", "title": "Advanced Security Headers", "title_short": "Security Headers", "beacon_id": 267, "summary": [ "Purpose - Protect visitors to your site by implementing increased security response headers.", "Recommendation - Enabling these features are advised, but you must test them on your site thoroughly." ] }, { "slug": "section_content_security_policy", "title": "Content Security Policy", "title_short": "Content Security Policy", "beacon_id": 155, "summary": [ "Purpose - Restrict the sources and types of content that may be loaded and processed by visitor browsers.", "Recommendation - Enabling these features are advised, but you must test them on your site thoroughly." ] }, { "slug": "section_enable_plugin_feature_headers", "title": "Enable Module: HTTP Headers", "title_short": "Disable Module", "beacon_id": 265, "summary": [ "Purpose - Protect visitors to your site by implementing increased security response headers.", "Recommendation - Enabling these features are advised, but you must test them on your site thoroughly." ] }, { "slug": "section_non_ui", "hidden": true } ], "options": [ { "key": "enable_headers", "section": "section_enable_plugin_feature_headers", "advanced": true, "default": "Y", "type": "checkbox", "link_info": "https://shsec.io/aj", "link_blog": "https://shsec.io/7c", "beacon_id": 265, "name": "Enable HTTP Headers", "summary": "Enable (or Disable) The HTTP Headers module", "description": "Un-Checking this option will completely disable the HTTP Headers module" }, { "key": "x_frame", "section": "section_security_headers", "default": "on_sameorigin", "type": "select", "value_options": [ { "value_key": "off", "text": "Off: iFrames Not Blocked" }, { "value_key": "on_sameorigin", "text": "On: Allow iFrames On The Same Domain" }, { "value_key": "on_deny", "text": "On: Block All iFrames" } ], "link_info": "https://shsec.io/78", "link_blog": "https://shsec.io/7c", "name": "Block iFrames", "summary": "Block Remote iFrames Of This Site", "description": "The setting prevents any external website from embedding your site in an iFrame. This is useful for preventing so-called ClickJack attacks." }, { "key": "x_xss_protect", "section": "section_security_headers", "default": "Y", "type": "checkbox", "link_info": "https://shsec.io/79", "link_blog": "https://shsec.io/7c", "name": "XSS Protection", "summary": "Employ Built-In Browser XSS Protection", "description": "Directs compatible browsers to block what they detect as Reflective XSS attacks." }, { "key": "x_content_type", "section": "section_security_headers", "default": "Y", "type": "checkbox", "link_info": "https://shsec.io/7a", "link_blog": "https://shsec.io/7c", "name": "Prevent Mime-Sniff", "summary": "Turn-Off Browser Mime-Sniff", "description": "Reduces visitor exposure to malicious user-uploaded content." }, { "key": "x_referrer_policy", "section": "section_security_headers", "sensitive": false, "type": "select", "default": "unsafe-url", "value_options": [ { "value_key": "unsafe-url", "text": "Default: Full Referrer URL (aka 'Unsafe URL')" }, { "value_key": "no-referrer", "text": "No Referrer" }, { "value_key": "no-referrer-when-downgrade", "text": "No Referrer When Downgrade" }, { "value_key": "same-origin", "text": "Same Origin" }, { "value_key": "origin", "text": "Origin" }, { "value_key": "strict-origin", "text": "Strict Origin" }, { "value_key": "origin-when-cross-origin", "text": "Origin When Cross-Origin" }, { "value_key": "strict-origin-when-cross-origin", "text": "Strict Origin When Cross-Origin" }, { "value_key": "empty", "text": "Empty Header" }, { "value_key": "disabled", "text": "Disabled - Don't Send This Header" } ], "link_info": "https://shsec.io/a5", "link_blog": "", "name": "Referrer Policy", "summary": "Referrer Policy Header", "description": "The Referrer Policy Header allows you to control when and what referral information a browser may pass along with links clicked on your site." }, { "key": "enable_x_content_security_policy", "section": "section_content_security_policy", "premium": true, "default": "N", "type": "checkbox", "link_info": "https://shsec.io/7d", "link_blog": "https://shsec.io/7c", "beacon_id": 155, "name": "Enable Content Security Policy", "summary": "Enable (or Disable) The Content Security Policy module", "description": "Allows for permission and restriction of all resources loaded on your site." }, { "key": "xcsp_custom", "section": "section_content_security_policy", "premium": true, "default": [], "type": "array", "link_info": "https://shsec.io/g9", "link_blog": "", "beacon_id": 155, "name": "Manual Rules", "summary": "Manual CSP Rules", "description": "Manual CSP rules." } ] }