PluginsArmorProCitedProBoostPro
PricingDocsBlogAboutGet Started

Advanced Security Headers

Configure HSTS, Content Security Policy, and Permissions Policy.

Last updated Feb 3, 2025

ArmorPro includes advanced security headers that provide additional protection but require more careful configuration.

HSTS (Strict-Transport-Security)

HSTS tells browsers to only connect to your site via HTTPS, preventing man-in-the-middle attacks that could downgrade connections to HTTP.

Configuration Options

  • max-age: How long (seconds) browsers remember to use HTTPS
    • 1 year (31536000) — Recommended for production
    • 1 month (2592000) — Good for testing
  • includeSubDomains: Apply to all subdomains
  • preload: Eligible for browser preload lists

Warning

HSTS is difficult to undo. Once a browser sees an HSTS header with a long max-age, it will refuse HTTP connections even if you remove the header. Only enable when you're committed to HTTPS permanently.

Recommended Setup

  1. Start with a short max-age (1 day) to test
  2. Verify your site works properly over HTTPS
  3. Increase to 1 month, then 1 year
  4. Only add includeSubDomains if all subdomains use HTTPS
  5. Only add preload if you want permanent HTTPS enforcement

Content Security Policy (CSP)

CSP is the most powerful security header, controlling which resources can load on your page. It prevents XSS attacks by blocking unauthorized scripts.

CSP Directives

default-src: Fallback for all resource types

  • 'self' — Only your domain
  • 'none' — Block everything

script-src: Where JavaScript can load from

  • 'self' — Scripts from your domain
  • 'unsafe-inline' — Inline scripts (less secure, but often needed)
  • 'unsafe-eval' — eval() and similar (avoid if possible)
  • https://example.com — Specific external domains

style-src: Where CSS can load from

img-src: Where images can load from

font-src: Where fonts can load from

connect-src: Where AJAX/fetch requests can go

frame-src: What can be embedded in iframes

CSP Builder

ArmorPro includes a CSP builder to help create your policy:

  1. Go to ArmorPro → Headers → CSP
  2. Use the visual builder to select allowed sources
  3. Start in Report-Only mode to test without breaking your site
  4. Review the browser console for violations
  5. Adjust your policy based on violations
  6. Switch to Enforce mode when ready

Common CSP Issues

  • Google Analytics: Add https://www.google-analytics.com to script-src and connect-src
  • Google Fonts: Add https://fonts.googleapis.com to style-src and https://fonts.gstatic.com to font-src
  • WordPress admin: Consider excluding /wp-admin from CSP or using a relaxed policy there
  • Inline scripts: Many WordPress themes/plugins use inline scripts, requiring 'unsafe-inline'

Permissions Policy

Permissions Policy (formerly Feature Policy) controls which browser features your site can use.

Available Features

  • camera: Camera access
  • microphone: Microphone access
  • geolocation: Location access
  • payment: Payment Request API
  • usb: USB device access
  • fullscreen: Fullscreen mode
  • autoplay: Media autoplay

Configuration

For each feature, you can set:

  • self: Allow only on your domain
  • *: Allow everywhere (including iframes)
  • none: Disable completely
  • specific origins: Allow only on listed domains

Recommended Settings

For most sites, disable features you don't use:

  • camera=(), microphone=() — Unless you have video chat
  • geolocation=() — Unless you use location features
  • payment=() — Unless you use Payment Request API

Testing Your Headers

After configuring advanced headers:

  1. Visit securityheaders.com
  2. Check browser console for CSP violations
  3. Test all site functionality (forms, media, external integrations)
  4. Test on multiple browsers
Previous← Custom Login URLNextEmail Notifications →