TLS is growing in complexity. Server Name Indication (SNI) now means HTTPS sites may be on shared IP addresses, or otherwise restricted. For these servers it is handy to be able to set desired HTTP headers without access to the web servers configuration or using .htaccess file.
This plug-in exposes controls for:
- HSTS (Strict-Transport-Security)
- HPKP (Public-Key-Pins)
- Disabling content sniffing (X-Content-Type-Options)
- XSS protection (X-XSS-Protection)
- Clickjacking mitigation (X-Frame opties in hoofdsite)
- Expect-CT
HSTS is used to ensure that future connections to a website always use TLS, and disallowing bypass of certificate warnings for the site.
HPKP is used if you don’t want to rely solely on the Certificate Authority trust model for certificate issuance.
Disabling content sniffing is mostly of interest for sites that allow users to upload files of specific types, but that browsers might be silly enough to interpret of some other type, thus allowing unexpected attacks.
XSS protection re-enables XSS protection for the site, if the user has disabled it previously, and sets the “block” option so that attacks are not silently ignored.
“Clickjacking” bescherming is normaal alleen aan de orde als iemand is ingelogd. Echter is deze optie door gebruikers aangevraagd. Waarschijnlijk omdat zij “rich content” willen beschermen die buiten de WordPress Authenticatie valt.
Expect-CT wordt gebruikt om ervoor te zorgen dat de “Certificate Transparency” correct geconfigureerd is.