Description
HTTP Headers vous donne le contrôle des entêtes http retournés par votre blog ou site web.
Headers supported by HTTP Headers includes:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- Access-Control-Expose-Headers
- Age
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Cache-Control
- Clear-Site-Data
- Connection
- Content-Encoding
- Content-Type
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Expect-CT
- Expires
- Feature-Policy
- NEL
- Permissions-Policy
- Pragma
- P3P
- Referrer-Policy
- Report-To
- Strict-Transport-Security
- Timing-Allow-Origin
- Vary
- WWW-Authenticate
- X-Content-Type-Options
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Powered-By
- X-Robots-Tag
- X-UA-Compatible
- X-XSS-Protection
Captures d’écran
This screenshot shows up the dashboard with categories of the supported headers. 
This screenshot shows up the headers of a chosen category and their current values. 
Cette capture écran montre la page de paramétrage où vous pouvez ajuster les entêtes de securité (security headers). 
This screenshot shows up the response headers returned by the web server.
Installation
Upload the HTTP Headers plugin to your blog. Then activate it.
That’s all.
FAQ
-
Why to use this plugin?
-
Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.
-
Who use these headers?
-
These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.
Avis
23 septembre 2024
When used with Elementor, you can’t edit the pages. Had to uninstall, since I don’t know what else it will break.
11 mai 2024
2 réponses
I am finding this a very effective tool to help clients reach security compliance. There is one glitch I believe, however, is with the x-content-type-options. Once you enable this the only option is « nosniff ». And once enabled, there is no way to reset it. And unfortunately i believe this setting is creating errors on my site. I can’t even seem to find the line for it in my .htaccess file. Any recommendations?
30 avril 2024
I have felt this has been excellent since the first time I used it, and absolutely no issues with it for what it is, except that there are a couple of headers that either need to be ‘marked deprecated’ or just removed. My immediate spot of these are the, Features header, P3P header and the Expect-CT (which is still around, but Mozilla recommend not using). There may be others.
There are a bunch of things that I might suggest as improvements, but this is to move the tool forward a bit. For instance:
It would be great if it could display the highlighted state of the current Apache/Nginx code and the status of the security (as per securityheaders.com form) alongside/under it, so you could see the evolution of the security header set up arrangements as you add/remove them.
Could be useful to have some in-built documentation on these things (particularly with the P3P header, those little summary items were impossible to figure out without going back and forth, but for other things like cache-control, or accept-expose-headers, some labelling could help). That said, for advanced users anyway, so perhaps less important.
Further to that, it might be useful to have an indication of what OWASP, Scott Helme, and Mozilla recommend and/or warnings for ones that are problematic for security or high risk with labels on them.
There are a few things that have odd formatting, so it is not obvious how to transpose the information for the reporting one over from how the header is laid out, since there are different ones for this. In this you have the report header that is normally used (as per report-uri site from Scott Helme) but it does not fit there. However, it has a group called ‘csp-element’ or something similar that might be clearer as to its use elsewhere). There is also the display of custom headers that are all grouped into one thing, and not spread out in a useful way if you want to review them.
Odd grouping in a couple of places, so custom headers I might have given its own block for instance, and to have two items in one and even one in one grouping is a bit pointless.
On another note, it is a shame that there is not a tool that is so effective that does this kind of thing for Wordpress and just outputs the BIND9 detail for DNS resource records. A combination of this and that, with the ability to adjust PHP and Apache settings would be the most amazing tool ever. For what this does, however, is sets the foundations for a great security setup.
18 avril 2024
Simply and useful
31 mars 2024
Great tool. Novices, beware, the myriad of settings is a bit daunting at first so you need to dive into the subtleties of Header settings, specifically the ones that address security settings for your site.
A good resource for the broad variety of settings for Content Security Policy as well as other important Header settings such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy and Permissions Policy can be found at cheatsheetseries owasp org.
Take your time working out which settings work best for your site. Getting a good rating at securityheaders com will reward you for your efforts.
While the tool respects your initial .htaccess content it’s a good idea to backup your .htaccess before saving and applying the plugins settings.
16 septembre 2023
Been using this for well over a year now. Works like a champ with custom themes, wide variety of plugins, and page builder themes. Of course, we keep all of these updated. The settings dashboard is very user-friendly. Much easier than adding these manually. Thank you!
Contributeurs/contributrices & développeurs/développeuses
« HTTP Headers » est un logiciel libre. Les personnes suivantes ont contribué à cette extension.
Contributeurs
“HTTP Headers” a été traduit dans 3 locales. Remerciez l’équipe de traduction pour ses contributions.
Traduisez « HTTP Headers » dans votre langue.
Le développement vous intéresse ?
Parcourir le code, consulter le SVN dépôt, ou s’inscrire au journal de développement par RSS.
Journal
1.19.2
Release Date – 22nd December, 2024
- Added « script-src-elem » directive to « Content-Security-Policy » header
- Added « script-src-attr » directive to « Content-Security-Policy » header
- Added « style-src-elem » directive to « Content-Security-Policy » header
- Added « style-src-attr » directive to « Content-Security-Policy » header
1.19.1
Release Date – 2nd September, 2023
- Added « clientHints » directive to « Clear-Site-Data » header
- Added « credentialless » directive to « Cross-Origin-Embedder-Policy » header
1.19.0
Release Date – 7th July, 2023
- Fixed: SSRF vulnerability by an Admin user
- Fixed: XSS vulnerability by an Admin user
1.18.11
Release Date – 11th June, 2023
- Fixed: Remote Code Execution by an Admin user
1.18.10
Release Date – 28th May, 2023
- Fixed: Remote Code Execution by an Admin user
- Removed: Import/Export functions
1.18.9
Release Date – 23rd April, 2023
- Fixed: Remote Code Execution by an Admin user
1.18.8
Release Date – 17th April, 2023
- Fixed: SQL Injection by an Admin user
- Fixed: Remote Code Execution by an Admin user
- Few PHP 8.x compatible fixes
1.18.7
Release Date – 24th January, 2023
- Fix CSP default value
1.18.6
Release Date – 22nd January, 2023
- PHP 8 compatibility changes
1.18.5
Release Date – 30th April, 2021
- Configurable paths to files who store passwords for basic/digest auth
- Fixed issue with plugin activation, due missing file
1.18.4
Release Date – 30th April, 2021
- Initial value of X-Robots-Tag fixed
1.18.3
Release Date – 30th April, 2021
- Added « X-Robots-Tag » header
- Added « interest-cohort », « layout-animations », « legacy-image-formats », « oversized-images », and « wake-lock » directive to « Permissions-Policy » header
- Added « cross-origin » value to « Cross-Origin-Resource-Policy » header
- Added « navigate-to » and « prefetch-src » directives to « Content-Security-Policy » header
1.18.2
Release Date – 24th April, 2021
- Configurable paths to .htaccess and .user.ini files
1.18.1
Release Date – 29th October, 2020
- Added « allow-downloads » and « allow-top-navigation-by-user-activation » to « sandbox » directive, part of CSP
1.18.0
Release Date – 20th September, 2020
- Added « Permissions-Policy » header
- Fixed « Cookie Security »
1.17.0
Release Date – 26th July, 2020
- Added « Cross-Origin-Embedder-Policy » header
- Added « Cross-Origin-Opener-Policy » header
1.16.1
Release Date – 23rd July, 2020
- Fixed JS/CSS versioning
1.16.0
Release Date – 23rd July, 2020
- Added the « NEL » header
- Fixed the « Report-To » header
1.15.2
Release Date – 18th June, 2020
- Fixed a PHP Notice at « Expires » page
- Fixed comments in .user.ini file
1.15.1
Release Date – 9th May, 2020
- Fixed the « Access-Control-Allow-Origin » header
1.15.0
Release Date – 26th January, 2020
- Added the « Cross-Origin-Resource-Policy » header
- Removed the « Public-Key-Pins » header
1.14.2
Release Date – 25th November, 2019
- CORS headers updated (added « Vary: Origin »)
1.14.1
Release Date – 15th September, 2019
- Simple filtering was replaced with Dynamic filtering
1.14.0
Release Date – 1st September, 2019
- Added the « Content-Type » header
- Fixed the « Access-Control-Allow-Credentials » header
- Improvement to « Access-Control-Allow-Headers » header
- Improvement to « Access-Control-Allow-Methods » header
- Improvement to « Access-Control-Expose-Headers » header
- Improvement to « Cache-Control » header
- Improvement to « Vary » header
1.13.4
Release Date – 14th July, 2019
- Added the « always » condition to Header (unset) directive
- Fixed the « import » function
- Fixed the « Access-Control-Allow-Origin » header
1.13.3
Release Date – 16th June, 2019
- Bugfix in « WWW-Authenticate » header
- Added support of Apache 2.4
1.13.2
Date Release – 13 Juin 2019
- Bugfix in « Content-Encoding » header
- Bugfix in « Vary » header
1.13.1
Date Release – 8 Juin 2019
- Ajout compression Brotli
1.13.0
Date Release – 7 Juin 2019
- Ajout « SameSite » à Cookie Security
- Correction de la fonction import/export
- Reformatage du code
1.12.2
Date Release – 5 Avril 2019
- UI improvement for Content-Security-Policy
- Correction de Access-Control-Allow-Headers
- Correction de Access-Control-Allow-Origin
- Correction Feature-Policy
1.12.1
Date Release – 9 Janvier 2019
- Remove direct calls to cURL
1.12.0
Date Release – 5 Janvier 2019
- Amélioration des fonctions « Activer/Désactiver »
1.11.0
Date Release – 9 Décembre 2018
- Added support of « Clear-Site-Data » header
1.10.5
Date Release – 6 Novembre 2018
- Hotfix: parallel work with third-party plugins
1.10.4
Date Release- 30 Septembre 2018
- Support of following Server APIs: CGI, FastCGI, PHP-FPM
- Amélioration de la gestion des erreurs
1.10.3
Date Release – 8 Août 2018
- Amélioration HSTS
- Amélioration CORS
1.10.2
Date Release – 31 Juillet 2018
- Export feature bug-fixed
1.10.1
Date Release – 18 Juillet 2018
- Feature-Policy header update: new features added
1.10.0
Date Release – 17 Juillet 2018
- Ajout entête « Feature-Policy »
1.9.5
Date Release – 12 Juillet 2018
- Corrections sur CORS
1.9.4
Date Release – 13 Janvier 2018
- Amélioration de la sécurité In-plugin
1.9.3
Date Release – 10 Janvier 2018
- Correction
1.9.2
Date Release – 4 Janvier 2018
- Améliorations sécurité
1.9.1
Date Release – 27 Décembre 2017
- Mise à jour des traductions
1.9.0
Date Release – 23 Décembre 2017
- Added support of « Report-To » header
- Supporte les traductions
- Ajout Import/Export
- Updated « Content-Security-Policy » header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
- Updated « WWW-Authenticate » header (support multiple users)
- Mise à jour de des entêtes « Access-Control » (ajout liste des origines)
1.8.0
Date Release – 31 Août 2017
- Ajout entête « Timing-Allow-Origin »
- Ajout entête « X-Download-Options »
- Ajout entête « X-DNS-Prefetch-Control »
- Ajout entête « X-Permitted-Cross-Domain-Policies »
- Ajout des entêtes Custom
1.7.1
Date Release – 18 Août 2017
- Correction Notice PHP
1.7.0
Date Release – 15 Août 2017
- Ajout entête « Content-Security-Policy-Report-Only »
- Ajout entête « Public-Key-Pins-Report-Only »
- Added « 1; report= » directive to the « X-XSS-Protection » header
- Added « Inspect headers » tool
- Corrections Interface Utilisateur
1.6.0
Date Release – 5 Août 2017
- Ajout entête « Expect-CT »
1.5.0
Date Release – 30 Juillet 2017
- Ajout entête « Age »
- Ajout entête « Cache-Control »
- Ajout entête « Connection »
- Ajout entête « Content-Encoding »
- Ajout entête « Expires »
- Ajout entête « Pragma »
- Ajout entête « Vary »
- Ajout entête « WWW-Authenticate »
- Ajout entête « X-Powered-By »
- Ajout des cookies « Secure » et « HttpOnly »
1.4.0
Date Release – 5 Juillet 2017
- Added support of Apache (via htaccess) inclusion method
1.3.0
Date Release – 3 Juin 2017
- Ajout entête Content-Security-Policy
- Ajout Tableau de bord
1.2.0
Date Release – 28 Avril 2017
- Ajout entête Referrer-Policy
1.1.2
Date Release – 13 Fevrier 2017
- Added support of ‘preload’ directive to HSTS header
1.1.1
Date Release – 8 Novembre 2016
- Fixed typo in the X-Frame-Options header
1.1.0
Date Release – 20 Mai 2016
- Ajout entête P3P
1.0.0
Date Release – 10 Mai 2016
- Version initiale