Headers Security Advanced & HSTS WP
| 开发者 |
unicorn03
unicorn07 erku alexclassroom |
|---|---|
| 更新时间 | 2024年11月11日 16:41 |
| 捐献地址: | 去捐款 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 6.6.1 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
标签
下载
详情介绍:
- X-XSS-Protection (non-standard)
- Expect-CT
- Access-Control-Allow-Origin
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- X-Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Powered-By
- Content-Security-Policy
- Referrer-Policy
- HTTP Strict Transport Security / HSTS
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Clear-Site-Data
- Cross-Origin-Embedder-Policy-Report-Only
- Cross-Origin-Opener-Policy-Report-Only
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Permissions-Policy
- Strict-dynamic
- Strict-Transport-Security
- FLoC (Federated Learning of Cohorts)
- CSP usage for Google Tag Manager world's most popular tag manager
- Using CSP for Gravatar Avatar service for WordPress and Social sites
- Using CSP for Wordpress Internal Media support Wordpress media
- Using CSP for Youtube Embedded Video SDK support Youtube embedded frames and JS SDK
- CSP usage for CookieLaw privacy technology to meet regulatory requirements
- CSP usage for Mailchimp support for Mailchimp automation, SDK and modules
- CSP usage for Google Analytics support for basic conversion domains such as: stats.g.doubleclick.net and www.google.com
- CSP usage for Google Fonts you're not loading it on the page, chances are one of your SDKs is using it
- Using CSP for Facebook support Facebook SDK functionality
- Using CSP for Stripe highly secure online payment system
- Using CSP for New Relic it's a registration and monitoring utility
- Using CSP for Linkedin Tags + SDKs support Linkedin Insight, Linkedin Ads and SDK
- Using CSP for OneTrust OneTrust support helps companies manage privacy requirements
- CSP usage for Moat Moat support to measurement suite such as: ad verification, brand safety, advertising and coverage
- CSP usage for jQuery support of jQuery - JS library
- CSP usage for Twitter Widgets & SDKs support Connect, Widgets and the Twitter client-side SDK
- Using CSP for Google Maps support Google Maps as The ggpht used by streetview
- Using CSP for Quantcast Choice Quantcast support for privacy such as GDPR and CCPA
- CSP usage for Twitter Ads & Analytics Twitter support for advertising and Analytics
- Using CSP for Paypal PayPal support for online payment system
- Using CSP for Drift Drift and Driftt support
- CSP usage for Cookiebot cookie and tracker support, GDPR/ePrivacy and CCPA compliance
- CSP usage for Vimeo Embedded Videos SDK support frames, JS SDK, Froogaloop integration
- Using CSP for AppNexus (now Xandr) AppNexus support for custom retargeting
- Using CSP for Mixpanel support analytics tool with SDK/JS to collect client-side data
- Using CSP for Font Awesome toolkit support for fonts and icons over CSS and Less
- Using CSP for Google reCAPTCHA reCAPTCHA support for fraud and bot protection
- CSP usage for Bootstrap CDN Bootstrap support for CSS frameworks
- Using CSP for HubSpot Hubspot support with many features, used for monitoring and mkt functionality
- Using CSP for Hotjar Hotjar tracker support for analytics and metrics
- Using CSP for WP.com support for wp.com hosting
- Using CSP for Akamai mPulse support for Akamai mPulse, for origin and perimeter integrations
- CSP usage for Cloudflare - Rocket-Loader & Mirage support for Mirage libraries for performance acceleration
- Using CSP for Cloudflare - CDN.js Cloudflare's open CDN support with multiple libraries
- Using CSP for jsDelivr support jsDelivr free CDN for Open Source
- Receive detailed reports on content security policy (CSP) violations.
- Monitor and analyze JavaScript exceptions occurring on their site.
- Benefit from advanced tools for proactive troubleshooting. Monitoring and Integration with Sentry, Datadog and URI Reports for optimal security.
- Check HTTP Security Headers on securityheaders.com
- Check HTTP Strict Transport Security / HSTS at hstspreload.org
- Check WebPageTest at webpagetest.org
- Check HSTS test website gf.dev/hsts-test
- Check CSP test website csper.io/evaluator
- Check CSP Evaluator csp-evaluator.withgoogle.com
- CSP Content Security Policy Generator addons.mozilla.org
安装:
- Vai in Plugin 'Aggiungi nuovo'.
- Cerca Headers Security Advanced & HSTS WP.
- Cerca questo plugin, scaricalo e attivalo.
- Vai in 'impostazioni' > 'Headers Security Advanced & HSTS WP'. Per personalizzare le intestazioni.
- Puoi cambiare questa opzione quando vuoi, Headers Security Advanced & HSTS WP viene impostato in automatico.
- Go to Plugins 'Add New'.
- Search for Headers Security Advanced & HSTS WP.
- Search for this plugin, download and activate it.
- Go to 'settings' > 'Headers Security Advanced & HSTS WP'. To customize headers.
- You can change this option whenever you want, Headers Security Advanced & HSTS WP is set automatically.
- Allez dans Plugins 'Add new'.
- Recherchez Headers Security Advanced & HSTS WP.
- Recherchez ce plugin, téléchargez-le et activez-le.
- Allez dans 'settings' > 'Headers Security Advanced & HSTS WP'. Pour personnaliser les en-têtes
- Vous pouvez modifier cette option quand vous le souhaitez, Headers Security Advanced & HSTS WP est réglé automatiquement.
- Gehen Sie zu Plugins 'Neu hinzufügen'.
- Suchen Sie nach Headers Security Advanced & HSTS WP.
- Suchen Sie nach diesem Plugin, laden Sie es herunter und aktivieren Sie es.
- Gehen Sie zu "Einstellungen" > "Kopfzeilen Sicherheit Erweitert & HSTS WP". So passen Sie die Kopfzeilen an
- Sie können diese Option jederzeit ändern, Headers Security Advanced & HSTS WP wird automatisch eingestellt.
屏幕截图:
常见问题:
What will Report URI monitor for me?
Report URI will monitor content security policy (CSP) violations and provide detailed reports on detected violations.
What will Datadog monitor for me?
Datadog will monitor content security policy (CSP) violations and other security and performance metrics of your site.
Where can I find my Datadog API Key?
You can find your Datadog API Key in the "API Keys" section under "Integrations" in the Datadog control panel. Once the plug-in is activated it performs a test (before and after): Manage CSP reporting with Datadog
What will Sentry monitor for me?
Sentry will monitor and log content security policy (CSP) violations and other JavaScript exceptions that occur on your site.
How can I configure Sentry integration with the plugin?
- Log in to your Sentry dashboard.
- Click on the "Projects" menu item.
- Select the project you have created.
- Click on the gear icon to open project settings.
- In the project settings, go to the "SDK SETUP" section.
- Click on "Security Headers".
- Copy the automatically generated "REPORT URI" URL and paste it into the "CSP Report URI" field in the plugin settings. Example Sentry Report URI (e.g.,
https://<your_org>.sentry.io/api/<project_id>/security/?sentry_key=<key>). - The plugin will initialize Sentry and send CSP reports to Sentry.
How can I configure URIports integration with the plugin?
- Log in to your Sentry dashboard.
- Click on the "User Icon" at the top right of your screen.
- Click "Settings".
- Add the domains you want to monitor to the "Monitored Domains" section on the settings page.
- Click on "Security Headers".
- Copy the automatically generated "URIports" URL and paste it into the "CSP Report URI" field in the plugin settings. Example URIports Report URI (e.g.,
https://account-subdomain.uriports.com/reports). - The plugin will initialize URIports and send CSP reports to URIports.
Why did you choose to integrate with Sentry, URIports, Datadog, and Report URI?
I chose Sentry, URIports, Datadog, and Report URI for integration with this plugin because they are highly reputable and functional platforms in the field of security monitoring. Here's a brief overview of each: Sentry Sentry is a well-known platform for monitoring and tracking errors and exceptions in applications. It provides comprehensive tools for logging and analyzing JavaScript errors, making it an excellent choice for monitoring Content Security Policy (CSP) violations. By integrating with Sentry, users can benefit from detailed error reports and proactive issue resolution. Datadog Datadog is a powerful platform for monitoring infrastructure, applications, and logs. It offers extensive capabilities for tracking security and performance metrics, including CSP violations. The integration with Datadog allows users to gain insights into the health and security of their websites, providing real-time monitoring and alerting features that are essential for maintaining a secure and performant environment. Report URI Report URI is a dedicated service for collecting and analyzing security violation reports, including CSP, HPKP, and other security headers. It is designed specifically to handle large volumes of security reports and provide detailed analytics and visualizations. By using Report URI, users can easily monitor and analyze CSP violations, helping them to quickly identify and mitigate potential security threats. Each of these platforms offers unique strengths and capabilities, making them ideal choices for comprehensive security monitoring and reporting. By integrating with these well-established services, we aim to provide users with reliable and effective tools to enhance the security of their WordPress websites. URIports URIports is a well-known platform for monitoring and tracking errors and exceptions in applications. It provides comprehensive tools for logging and analyzing JavaScript errors, making it an excellent choice for monitoring Content Security Policy (CSP) violations. By integrating with URIports, users can benefit from detailed error reports and proactive issue resolution.
Can I view CSP reports directly in Sentry?
Yes, all CSP reports will be sent to Sentry, where you can view and analyze them in the Sentry control panel.
How do you get an A+ grade?
To earn an A+ grade, your site must issue all HTTP response headers that we check. This indicates a high level of commitment to improving the security of your visitors.
What headers are recommended?
Over an HTTP connection we get Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Via an HTTPS connection, 2 additional headers are checked for presence which are Strict-Transport-Security and Public-Key-Pins.
- Once the plug-in is activated it performs a test (before and after): https://securityheaders.com/
Can the plugin create slowdowns?
No, Headers Security Advanced & HSTS WP is Fast, Secure and does not affect the SEO and speed of your website.
What is HSTS (Strict Transport Security)?
It was created as a solution to force the browser to use secure connections when a site is running on HTTPS. It is a security header that is added to the web server and reflected in the response header as Strict-Transport-Security. HSTS is important because it addresses the following anomalies:
Check before and after using Preload HSTS
This step is important to submit your website and/or domain to an approved HSTS list. Google officially compiles this list and it is used by Chrome, Firefox, Opera, Safari, IE11 and Edge. You can forward your site to the official HSTS preload directory. ('https://hstspreload.org/')
how to use HTTP Strict Transport Security (HSTS)
If you want to use Preload HSTS for your site, there are a few requirements before you can activate it.
- Have a valid SSL certificate. You can't do any of this anyway without it.
- You must redirect all HTTP traffic to HTTPS (recommended via permanent 301 redirects). This means that your site should be HTTPS only.
- You need to serve all subdomains in HTTPS as well. If you have subdomains, you will need an SSL certificate.
Can I report a bug or request a feature?
You can report bugs or request new features right support@tentacleplugins[dot]com
Disable FLoC, Google's advertising technology
FLoC is a mega tracker that monitors user activity on all sites, stores the information in the browser, and then uses machine learning to place users into cohorts with similar interests. This way, advertisers can target groups of people with similar interests. Plus, according to Google's own testing, FLoC achieves at least 95% more conversions than cookies.
Who is disabling FLoC by Google?
Scott Helme reported that as of May 3, already 967 of the first 1 million domains had disabled FLoC's interest-cohort in their Permissions-Policy header. That list included some big sites like The Guardian and IKEA.
Do you use CloudFlare and the Headers Security Advanced & HSTS WP plugin?
Are you experiencing any anomalies after a plugin update? If yes, please follow these instructions: clear the cache directly to the CloudFlare Client Area
- Log in to your Cloudflare dashboard, and select your account and domain.
- Select Caching > Configuration.
- Under Cache Purge, select Custom Purge. The custom purge window will be displayed.
- Under Purge by, select URL.
- Enter the appropriate values in the text field using the format shown in the example.
- Run through the additional instructions to complete the form.
- Review the data entered.
- Click Delete.
更新日志:
- Preparation: Coming in the next updates is a new interface optimized to the smallest detail;
- Preparation: New structure to prepare the plugin for optimized HSTS;
- Fixed: Fixed a critical error that occurred when enabling the “Enable preload” option due to an invalid string format in the printf function . The error generated an “Unknown format specifier” message. Now the string contains the correct format specifiers (%s), preventing further crashes;