Add1son.com

A place for pondering, planning and projects

Http Headers!

Posted on by Addison

WordPress seems to not be allowing me to add media like I normally do so I have done it a little bit differently so if anything is weird feel free to let me know.

Well, turns out that it wasn’t WordPress at all. After realizing that the text editor, theme editor and “Add media” buttons were not working I figured I would just export what i had on here ~7 posts and pull it over fresh assuming that something went wrong in the upgrade. This was very incorrect. Yesterday I spent most of the day trying to find a new blogging platform because I really thought that the issue was with WordPress (today I tested this hypothesis on a local server and I did not reach the same result but we will get to that in a minute).

I actually had a draft of this post titled “Http Headers!” in which I was going to advise anyone who was utilizing http headers on their own blog/site running apache how to get a high rating on this website in which your site is ran against an algorithm to see how well you can mitigate several attacks that can in turn be prevented by implementing security headers. I got up to an A on the site and I thought nothing of it other than creating the draft for this post. Turns out that WordPress uses a lot of XSS and the headers that I have implemented in order to get to the highest grade were breaking WordPress.

These include:
Header always set Content-Security-Policy “default-src ‘self’ https://add1son.com/* https://add1son.com:*; script-src ‘unsafe-inline’ ‘self’; connect-src ‘self’; img-src ‘self’; style-src ‘self’;”

Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

This resolved all of the issues that I was having with my site. Re-scanning my site at https://securityheaders.io currently yields a C result. This being said, just because I have a C on this website doesn’t mean that it is inherently insecure and one could be tempted to compare this to the idea of security vs convenience. I am currently working on learning how to implement Content Security Policy, X-Frame-Options and X-Content-Type-Options in a way that will work with WordPress.

I was able to get the above issues patched up and got my grade to an A for the /blog directory of this website. Here’s how I did it

Header always set X-Frame-Options: SAMEORIGIN
Header always set Referrer-Policy “no-referrer”
Header always set X-XSS-Protection “1; mode=block”
https://wordpress.org/plugins/wp-content-security-policy/ in place of Content-Security-Policy

To be noted is that despite changing the X-Frame-Options to SAMEORGIN I am still not able to customize my theme. I am going to adjust the syntax for this to be Allow-from as I believe some of the theme elements may be causing this to not work correctly with the SAMEORGIN flag.

Resources used
https://blog.appcanary.com/2017/http-security-headers.html
https://scotthelme.co.uk/hardening-your-http-response-headers/