Security Header Generator
| 开发者 | kevp75 |
|---|---|
| 更新时间 | 2025年5月30日 19:31 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.1 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPLv3 |
| 版权网址: | 版权信息 |
标签
下载
3.0.68
3.9.77
5.2.03
1.3.14
1.4.09
1.6.09
1.6.10
1.7.02
2.0.08
3.6.33
1.3.13
1.9.23
1.9.27
1.9.17
1.9.18
3.0.10
1.4.11
1.5.22
1.7.03
1.8.11
1.8.14
1.8.23
1.9.11
1.9.43
1.9.44
1.9.47
1.9.51
2.0.97
2.1.09
2.1.11
2.2.13
2.2.15
5.2.99
5.2.99.1
5.3.01
3.0.09
3.0.77
3.3.01
3.6.02
3.6.11
2.0.36
3.6.22
3.4.28
4.0.01
4.1.22
4.6.01
4.1.23
5.1.29
3.2.34
3.2.37
3.4.27
3.6.44
3.6.79
3.7.23
3.8.01
3.2.33
3.5.17
3.6.46
3.8.14
3.9.01
3.9.12
5.1.31
详情介绍:
This plugin generates the proper security HTTP response headers, attempts to generate a valid Content Security Policy, and sets browser permissions if configured.
安装:
- Download the plugin, unzip it, and upload to your sites
/wp-content/plugins/directory - You can also upload it directly to your Plugins admin
- Activate the plugin through the 'Plugins' menu in WordPress
屏幕截图:
常见问题:
Why do I need this plugin?
It is a simplified way to set security headings for your website which will help mitigate attacks.
What is a Content Security Policy?
A Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
How can I configure my Content Security Policy?
This is where it gets complicated. You will need to browser your website and track all external resources and types. For an example, we have included WordPress defaults. Once you have done this initial tracking you can add the sources in the plugins Content Security Policy sources, and hit the 'Save' button. Once you have initially configured it, I would recommend repeating the process above as many times as it takes to gather all of them. It can take quite a number of times to accomplish this, some external resources like iframes, scripts, and even stylesheets can pull in their own external items that will not show until the parent items are included.
How can I ensure all requests are sent via https?
In the Standard Security Header tab in the plugin settings, turn on the "upgrade insecure requests" and hit 'Save'.
Is there any documentation?
Sure is, in the plugin settings, look for the Documentation tab.
Can I backup the settings?
Sure can. In the plugin settings, look for the Export/Import Settings tab.
What if I need support?
You can reach out at the plugins page in the WordPress.org plugin respository.
What kind of support will you give me once I have this installed?
Please understand, I cannot generate the proper headers for you through the wordpress.org support due to the amount of time it could take to do it along with the access I would need. However, I can be contacted here: https://kevp.us/contact and we can discuss it.
更新日志:
5.3.01
- Verify: WP Core 6.9
- Update: PHP 8.1 requirement
- Update: Defaults for WordPress
- Update: 'None' CSP now actually changes to None.
- Originating values in sources will be retained in case you need to change back.
- This only persists before you save the settings, so if you intend to save and test, please make sure to back them up manually.
- Forgot to update WP Core Version tested...
- Added: 'base-uri' directive
- Removed: Multisite functionality
- Was causing issues on some hosts where the headers would not apply properly
- Renamed: 'Allow Unsafe' to 'Extras'
- to allow for 'none', 'self', 'unsafe-inline', 'unsafe-eval'
- Removed: 'self' in CSP Policies from auto-injection
- Removed: 'report-to' directive
- this will make a comeback once the "Reporting-Endpoints" has full browser coverage
- Fixed: WP Defaults not populating the 'connect-src' in settings
- Removed: PHP 8.2 restrictions
- Implemented notice to upgrade though.
- Requirements: WP Core: 6.0.9
- Next version will be incompatible with PHP 7.4
- Verify: WP Core 6.8 Compatability
- Verify: PHP 8.4 Compatibility
- Fix: Field Not Found in settings for Report to
- Fix: Removed 'nothing' for unsafe settings
- literally did nothing anyways, and wasn't actually meant for that
- the keyword 'none' should be added to "Source" if it is needed
- Fix: "apply_child_override" warnings
- Add: PHP Upgrade Notice for any site under PHP 8.1
- Fix: Issue where menu would disappear on non-multisite
- Fix: Some undefined array keys when some settings not set
- Verify: WP Core 6.7 Compatibility
- Fix: Defaults for settings.
- Found headers were being applied after turning off setting that should not have been
- Clean Up: Versions older than 4
- Add:
sandboxdirective for Content Security Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
- Fix: Application of CSP headers when there is no value set
- No longer sets the directive if nothing is configured for it.
- Fix: Some styling in the admin pages
- Remove: Deprecated CLI methods
- Update: JS Libraries for settings framework
- Verified: PHP 8.3 Compatibility
- Verified: WP Core 6.6 Compatibility
- Updated: settings fw: Fixed: PHP 8.x deprecated notices.
- Updated: Documentation
- Removed: references to implementation to avoid confusion
- Removed: CLI Generator
- Verified: WP Core 6.5 Compatibility
- Add: Apply CSP to REST API
- Please be aware, once this is switched on it will also be active for the admin area of the site.
- Hook:
wpsh_send_restapi_headers
- Verified: Core Version 6.4 compliant
- Remove:
navigate-todirective for Content Security Policy - Per: https://docs.w3cub.com/http/headers/content-security-policy/navigate-to no longer supported in any browser
- Add:
report-todirective for Content Security Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- Please be aware, this directive currently does nothing in Firefox and Safari
- Updated: Wordpress Defaults. Compliant ONLY with the following:
- Plugins: Gravity Forms
- Themes: Twenty Twenty, Twenty Twenty-One, Twenty Twenty-Two, Twenty Twenty-Three
- Updated: Wordpress Core version requirements to 5.6.10
- Fix: Autofill on Basic Auth fields
- Add: Access-Control-Allow-Methods header
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
- Default: GET, POST, HEAD
- These are Wordpress default allowable methods for the REST API
- Hook:
wpsh_acam_header - Add: Access-Control-Allow-Credentials
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
- Default: true
- Hook:
wpsh_acac_header - Updated: Documentation
- Update: Documentation
- Fix: Autoloader not including the settings
- NOTE I had to manually include them, but not anymore :)
- Add: Directives to the COEP
require-corpandunsafe-none- NOTE
require-corpwill require you to configure the Cross-Origin-Resource-Policy header - Remove older versions
- Fix: Deprecation notice in CLI
- Fix: Deprecated
get_page_by_title - Optimize: Class loading with Composers autoloader and it's optimizations
- Updated: JS libraries (codemirror, leaflet, etc).
- Improved: Some JS and CSS coding.
- Fix: PHP 8.1 deprecation notice on
rtrim - Add: Cross-Origin-Resource-Policy header
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy
- Default: same-origin
- Hook:
wpsh_corp_header
- Fix: CSP Headers being set in admin when not configured to do so
- change in WP core
send_headersoradmin_initactions between Core 6.2 and Core 6.2.2 - Add: More concise boolean checks
- Add: Option for applying Content Security Policy headers to admin separately from primary security headers application setting
- Add: Option for applying Feature Policy headers to admin separately from primary security headers application setting
- Fix: Default CSP Script and Styles headers WP Defaults
- Remove: Implementation page in settings
- No longer a need for this
- Update: Documentation for the above
- Remove:
document-domainfrom the Permissions-Policy header - no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain
- Remove:
execution-while-not-renderedfrom the Permissions-Policy header - no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/execution-while-not-rendered
- Remove:
execution-while-out-of-viewportfrom the Permissions-Policy header - no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/execution-while-out-of-viewport
- Remove:
navigation-overridefrom the Permissions-Policy header - completely removed
- Remove:
gamepadfrom the Permissions-Policy header - no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad
- Remove: The FLoC Permission Policy.
- completely removed
- Add:
hidto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid
- Add:
identity-credentials-getto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get
- Add:
idle-detectionto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection
- Add
publickey-credentials-createto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create
- Add
screen-wake-lockto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock
- Add
serialto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial
- Add
web-shareto the Permissions-Policy Header - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share
- Remove:
prefetch-srcfrom the Content-Security-Policy - no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
- Fix: Implementation Page
- now accurately reflects the confguration set
- Verify: Up to 6.3 Compliant
- Fix: PHP 8.2 deprecation notices in field Framework
- Test: Up to 6.2 compliant
- Add: setting for allowing an access control origin
- This should help out with CORS issues, especially from google
- Fix: PHP 8 warning messages
Warning: Undefined array key "Permissions-Policy"- Fix: PHP 8 fatal error on special circumstance
KCP_CSPGEN_Headers::kp_get_generated_csp(): Return value must be of type array, string returned
- Test: Up to 6.1.2 compliant
- Fixed: Directory traversal in plugin
- Fixed: Added check/uncheck all option for checkbox field.
- Updated: Google Web Fonts array added new fonts.
- Updated: JS libraries (codemirror, leaflet, etc).
- Improved: Some JS and CSS coding.
- Test: Up to 6.1.1 compliant
- Remove: Server identifiers removers.
- Rework: Broke out the front-end and admin headers to separate methods
- Fix: Check for duplicate headers, or already set headers
- Fix: Typo in versioning
- Test: Up to 6.0.2 compliant
- Tech: force PHP 7.4 minimum
- Remove: Upgrader hook
- this is no longer needed
- Remove: X-XSS-Protection Header
- was depracated in version 2.2.13. Only compatible browsers as of 7/14/2022 are Edge and and Safari Use CSP to mitigate XSS
- Test: Up to 6.0 compliant
- Test: Up to PHP 8.1 Compliant
- New: Plugin Icon =)
- Updated: Settings Field Framework
- Added: Number field "min", "max", "step" options.
- Updated: Google Web Fonts array added new fonts.
- Updated: JS libraries (codemirror, leaflet, etc).
- Improved: Group field "custom title and prefix" option (samples added).
- Improved: Some JS and CSS coding.
- Fix: Eval and Inline for empty directives
- Fix: Forgot a debugging var_dump... SMH
- Fix: Include blank directives:
- Even if the directives are blank for the CSP, they should still be included with the 'self' flag
- Test: Up to 5.9.2 compliant
- Fix: CLI performance.
- Was timing out, then skipping some directives on larger sites.
- Fix: Default WP CSP headers not being set
- Fix: Implementation now includes Default WP
- Feature: Implement debug check to queue unminified style and scripts
- Fix: Implementation from the CLI pulls
- Update: Settings framework
- Fix: OR to ||
- forgot about it in the main plugin file
- Update: translatable resources
- New: /languages/security-header-generator.pot
- Fix: Array issue
- Fix: Strict typing issue
- Feature: Implement post update hook to try to properly migrate existing settings to the new format
- Update: Change exportable/importable settings names, more legible
- While I will do my best to automate this, please note it may not be perfect... I am only human after all ;)
- If you export your settings before updating, you can import them again after updating and the below will be taken care of for you.
- Just in case it does not work 100%, please export your settings before updating to this version and perform a search and replace for the string to remove it:
- Search: "kp_cspgen_"
- Replace: null|nothing|empty
- NOTE: If you do not export your settings I will not guarantee that you will not have to reconfigure the plugin.
Although... I did take a backup ;) You will need to hop into your database to grab it though, it will be in your
options table, and it is called:
wpsh_TEMP_settings. I will have this automatically removed in a future update - Add: Option to remove server advertising.
- Add: Expect-CT header
- The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, to prevent the use of misissued certificates for that site from going unnoticed.
- Doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
- Hook:
wpsh_expectct_header - Updated: Feature Policies.
- Removed the following: battery, layout-animations, legacy-image-formats, oversized-images, screen-wake-lock, unoptimized-images, unsized-media, web-share
- The above no longer have any browser support.
- Added: Descriptive descriptions for each directive
- Updated: Content Security Policy
- Added: the following fetch directives:
- child-src, manifest-src, object-src, prefetch-src, script-src-elem, script-src-attr, style-src-elem, style-src-attr, worker-src, navigate-to
- Added: Unsafe Inline and Unsafe Eval settings on each CSP directive
- Added: Descriptive descriptions for each directive
- Reworked: Settings for the entire section, which of course caused me to rewrite the way they are implemented.