README.txt
9.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
=== HTTP Headers ===
Contributors: zinoui
Donate link: https://zinoui.com/donation
Tags: custom headers, http headers, headers, security, http header, header, cross domain, cors, xss, clickjacking, mitm, cross origin, cross site, privacy, p3p, hsts, referrer, csp, caching, compression, access control, authentication
Requires at least: 3.2
Tested up to: 5.7.1
Requires PHP: 5.3
Stable tag: 1.18.5
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
HTTP Headers adds CORS & security HTTP headers to your website.
== Description ==
HTTP Headers gives your control over the http headers returned by your blog or website.
Headers supported by HTTP Headers includes:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- Access-Control-Expose-Headers
- Age
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Cache-Control
- Clear-Site-Data
- Connection
- Content-Encoding
- Content-Type
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Expect-CT
- Expires
- Feature-Policy
- NEL
- Permissions-Policy
- Pragma
- P3P
- Referrer-Policy
- Report-To
- Strict-Transport-Security
- Timing-Allow-Origin
- Vary
- WWW-Authenticate
- X-Content-Type-Options
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Powered-By
- X-Robots-Tag
- X-UA-Compatible
- X-XSS-Protection
The [getting started tutorial](https://zinoui.com/blog/http-headers-for-wordpress) describes a typical configuration of this plugin.
== Installation ==
Upload the HTTP Headers plugin to your blog. Then activate it.
That's all.
== Frequently Asked Questions ==
= Why to use this plugin? =
Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.
= Who use these headers? =
These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.
== Screenshots ==
1. This screenshot shows up the dashboard with categories of the supported headers.
2. This screenshot shows up the headers of a chosen category and their current values.
3. This screenshot shows up the settings page where you can adjust the security headers.
4. This screenshot shows up the response headers returned by the web server.
== Upgrade Notice ==
Updates are on they way, so stay tuned at [@DimitarIvanov](https://twitter.com/DimitarIvanov)
== Changelog ==
= 1.18.5 =
*Release Date - 30th April, 2021*
* Configurable paths to files who store passwords for basic/digest auth
* Fixed issue with plugin activation, due missing file
= 1.18.4 =
*Release Date - 30th April, 2021*
* Initial value of X-Robots-Tag fixed
= 1.18.3 =
*Release Date - 30th April, 2021*
* Added "X-Robots-Tag" header
* Added "interest-cohort", "layout-animations", "legacy-image-formats", "oversized-images", and "wake-lock" directive to "Permissions-Policy" header
* Added "cross-origin" value to "Cross-Origin-Resource-Policy" header
* Added "navigate-to" and "prefetch-src" directives to "Content-Security-Policy" header
= 1.18.2 =
*Release Date - 24th April, 2021*
* Configurable paths to .htaccess and .user.ini files
= 1.18.1 =
*Release Date - 29th October, 2020*
* Added "allow-downloads" and "allow-top-navigation-by-user-activation" to "sandbox" directive, part of CSP
= 1.18.0 =
*Release Date - 20th September, 2020*
* Added "Permissions-Policy" header
* Fixed "Cookie Security"
= 1.17.0 =
*Release Date - 26th July, 2020*
* Added "Cross-Origin-Embedder-Policy" header
* Added "Cross-Origin-Opener-Policy" header
= 1.16.1 =
*Release Date - 23rd July, 2020*
* Fixed JS/CSS versioning
= 1.16.0 =
*Release Date - 23rd July, 2020*
* Added the "NEL" header
* Fixed the "Report-To" header
= 1.15.2 =
*Release Date - 18th June, 2020*
* Fixed a PHP Notice at "Expires" page
* Fixed comments in .user.ini file
= 1.15.1 =
*Release Date - 9th May, 2020*
* Fixed the "Access-Control-Allow-Origin" header
= 1.15.0 =
*Release Date - 26th January, 2020*
* Added the "Cross-Origin-Resource-Policy" header
* Removed the "Public-Key-Pins" header
= 1.14.2 =
*Release Date - 25th November, 2019*
* CORS headers updated (added "Vary: Origin")
= 1.14.1 =
*Release Date - 15th September, 2019*
* Simple filtering was replaced with Dynamic filtering
= 1.14.0 =
*Release Date - 1st September, 2019*
* Added the "Content-Type" header
* Fixed the "Access-Control-Allow-Credentials" header
* Improvement to "Access-Control-Allow-Headers" header
* Improvement to "Access-Control-Allow-Methods" header
* Improvement to "Access-Control-Expose-Headers" header
* Improvement to "Cache-Control" header
* Improvement to "Vary" header
= 1.13.4 =
*Release Date - 14th July, 2019*
* Added the "always" condition to Header (unset) directive
* Fixed the "import" function
* Fixed the "Access-Control-Allow-Origin" header
= 1.13.3 =
*Release Date - 16th June, 2019*
* Bugfix in "WWW-Authenticate" header
* Added support of Apache 2.4
= 1.13.2 =
*Release Date - 13th June, 2019*
* Bugfix in "Content-Encoding" header
* Bugfix in "Vary" header
= 1.13.1 =
*Release Date - 8th June, 2019*
* Added Brotli compression
= 1.13.0 =
*Release Date - 7th June, 2019*
* Added "SameSite" to Cookie Security
* Fixed import/export function
* Code refactoring
= 1.12.2 =
*Release Date - 5th April, 2019*
* UI improvement for Content-Security-Policy
* Fix for Access-Control-Allow-Headers
* Fix for Access-Control-Allow-Origin
* Fix for Feature-Policy
= 1.12.1 =
*Release Date - 9th January, 2019*
* Remove direct calls to cURL
= 1.12.0 =
*Release Date - 5th January, 2019*
* Better handling of activate/deactivate functions
= 1.11.0 =
*Release Date - 9th December, 2018*
* Added support of "Clear-Site-Data" header
= 1.10.5 =
*Release Date - 6th November, 2018*
* Hotfix: parallel work with third-party plugins
= 1.10.4 =
*Release Date - 30th September, 2018*
* Support of following Server APIs: CGI, FastCGI, PHP-FPM
* Error handling improvement
= 1.10.3 =
*Release Date - 8th August, 2018*
* HSTS improvement
* CORS improvement
= 1.10.2 =
*Release Date - 31st July, 2018*
* Export feature bug-fixed
= 1.10.1 =
*Release Date - 18th July, 2018*
* Feature-Policy header update: new features added
= 1.10.0 =
*Release Date - 17th July, 2018*
* Added support of "Feature-Policy" header
= 1.9.5 =
*Release Date - 12th July, 2018*
* CORS bugfix
= 1.9.4 =
*Release Date - 13th January, 2018*
* In-plugin security improvement
= 1.9.3 =
*Release Date - 10th January, 2018*
* Bug fix
= 1.9.2 =
*Release Date - 4th January, 2018*
* Security improvements
= 1.9.1 =
*Release Date - 27th December, 2017*
* Updated translations
= 1.9.0 =
*Release Date - 23th December, 2017*
* Added support of "Report-To" header
* Added support of translations
* Added support of Import/Export
* Updated "Content-Security-Policy" header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
* Updated "WWW-Authenticate" header (support multiple users)
* Updated "Access-Control" headers (added list of origins)
= 1.8.0 =
*Release Date - 31st August, 2017*
* Added support of "Timing-Allow-Origin" header
* Added support of "X-Download-Options" header
* Added support of "X-DNS-Prefetch-Control" header
* Added support of "X-Permitted-Cross-Domain-Policies" header
* Added support of Custom headers
= 1.7.1 =
*Release Date - 18th August, 2017*
* PHP notice bugfixed
= 1.7.0 =
*Release Date - 15th August, 2017*
* Added support of "Content-Security-Policy-Report-Only" header
* Added support of "Public-Key-Pins-Report-Only" header
* Added "1; report=<reporting-URI>" directive to the "X-XSS-Protection" header
* Added "Inspect headers" tool
* UI bugfixes
= 1.6.0 =
*Release Date - 5th August, 2017*
* Added support of "Expect-CT" header
= 1.5.0 =
*Release Date - 30th July, 2017*
* Added support of "Age" header
* Added support of "Cache-Control" header
* Added support of "Connection" header
* Added support of "Content-Encoding" header
* Added support of "Expires" header
* Added support of "Pragma" header
* Added support of "Vary" header
* Added support of "WWW-Authenticate" header
* Added support of "X-Powered-By" header
* Added support of "Secure" and "HttpOnly" cookies
= 1.4.0 =
*Release Date - 5th July, 2017*
* Added support of Apache (via htaccess) inclusion method
= 1.3.0 =
*Release Date - 3rd June, 2017*
* Added support of Content-Security-Policy header
* Added dashboard
= 1.2.0 =
*Release Date - 28th April, 2017*
* Added support of Referrer-Policy header
= 1.1.2 =
*Release Date - 13th February, 2017*
* Added support of 'preload' directive to HSTS header
= 1.1.1 =
*Release Date - 8th November, 2016*
* Fixed typo in the X-Frame-Options header
= 1.1.0 =
*Release Date - 20th May, 2016*
* Added support of P3P header
= 1.0.0 =
*Release Date - 10th May, 2016*
* Initial version