前言介紹
- 這款 WordPress 外掛「Headers Security Advanced & HSTS WP」是 2021-09-03 上架。
- 目前有 80000 個安裝啟用數。
- 上一次更新是 2025-04-28,距離現在已有 6 天。
- 外掛最低要求 WordPress 4.7 以上版本才可以安裝。
- 外掛要求網站主機運作至少需要 PHP 版本 7.4 以上。
- 有 66 人給過評分。
- 論壇上目前有 4 個提問,問題解答率 50%
外掛協作開發者
erku | unicorn03 | unicorn07 | alexclassroom |
外掛標籤
csp | hsts | headers | clickjacking | headers security |
內容簡介
Headers Security Advanced & HSTS WP 是一款超強大的全方位 WordPress 免費外掛。如果停用這個外掛,你的網站設定會恢復到停用之前的狀態。
Headers Security Advanced & HSTS WP 的目標是實現 HTTP 響應標頭,讓你的網站增強安全性。外掛會自動設置所有最佳做法 (你不需要考慮任何事情),這些 HTTP 響應標頭可以防止現代瀏覽器遇到容易預測的漏洞。Headers Security Advanced & HSTS WP 的目標是讓所有 WordPress 用戶都熟悉和使用這些標頭。
此外掛是由 TentaclePlugins 開發,關注 WordPress 安全和最佳做法。
以下是 Headers Security Advanced & HSTS WP 的最佳功能:
限制登錄次數,阻止暴力攻擊。
X-XSS-Protection
Expect-CT
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
X-Content-Security-Policy
X-Content-Type-Options
X-Frame-Options
X-Permitted-Cross-Domain-Policies
X-Powered-By
Content-Security-Policy
Referrer-Policy
HTTP Strict Transport Security / HSTS
Content-Security-Policy
Clear-Site-Data
Cross-Origin-Embedder-Policy-Report-Only
Cross-Origin-Opener-Policy-Report-Only
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
Permissions-Policy
Strict-dynamic
Strict-Transport-Security
FLoC (Federated Learning of Cohorts)
Headers Security Advanced & HSTS WP 基於 OWASP CSRF 保護您的 WordPress 網站。使用 OWASP CSRF,一旦安裝外掛,它將提供完整的 CSRF 防護,無需另外調用輸出的 nonce。
HTTP 安全標頭是網站安全的關鍵組成部分。Headers Security Advanced & HSTS WP 自動實現這些標頭,保護您的網站免受最惡名昭著的攻擊。這些標頭可保護免受 XSS、代碼注入、點擊劫持等攻擊。
我們已經實現 FLoC,並遵循最佳做法。使用 Headers Security Advanced & HSTS WP 可以防止瀏覽器在 FLoC (Federated Learning of Cohorts) 計算中包含你的網站。這意味著無法調用 document.interestCohort() 來獲取當前使用客戶端的 FLoC ID。當然,這只在你當前訪問的網站範圍內有效,不會在客戶端範圍內 "禁用" FLoC。
儘管 FLoC 還很新且尚未得到廣泛支持,作為程序員,我們認為保護隱私是很重要的,因此我們選擇為你提供退出 FLoC 的功能!我們創建了一個特殊的 "自動阻止 FLoC" 功能,試圖始終提供以隱私保護和網絡安全為主要目標和重點的最佳工具。
使用 Headers Security Advanced & HSTS WP 安全標頭前後分析你的網站,可使其自我配置符合 HTTP 安全標頭和 HTTP Strict Transport Security / HSTS 的最佳做法。
以下是分析網站的一些實用工具:
在 securityheaders.com 上檢查 HTTP 安全標頭
在 查看 HTTP Strict Transport Security / HSTS
原文外掛簡介
Headers Security Advanced & HSTS WP is Best all-in-one a free plug-in for all WordPress users. Deactivating this plugin will return your site configuration exactly to the state it was in before.
The Headers Security Advanced & HSTS WP project implements HTTP response headers that your site can use to increase the security of your website. The plug-in will automatically set up all Best Practices (you don’t have to think about anything), these HTTP response headers can prevent modern browsers from running into easily predictable vulnerabilities. The Headers Security Advanced & HSTS WP project wants to popularize and increase awareness and usage of these headers for all wordpress users.
This plugin is developed by TentaclePlugins by irn3, we care about WordPress security and best practices.
Check out the best features of Headers Security Advanced & HSTS WP:
X-XSS-Protection (Deprecated)
Pragma (Deprecated)
Public-Key-Pins (Deprecated)
Expect-CT (Deprecated)
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
X-Content-Security-Policy
X-Content-Type-Options
X-Frame-Options
X-Permitted-Cross-Domain-Policies
X-Powered-By
Content-Security-Policy
Referrer-Policy
HTTP Strict Transport Security / HSTS
Content-Security-Policy
Content-Security-Policy-Report-Only
Clear-Site-Data
Cross-Origin-Embedder-Policy-Report-Only
Cross-Origin-Opener-Policy-Report-Only
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
Permissions-Policy
Strict-dynamic
Strict-Transport-Security
FLoC (Federated Learning of Cohorts)
Headers Security Advanced & HSTS WP is based on OWASP CSRF to protect your wordpress site. Using OWASP CSRF, once the plugin is installed, it will provide full CSRF mitigation without having to call a method to use nonce on the output. The site will be secure despite having other vulnerable plugins (CSRF).
HTTP security headers are a critical part of your website’s security. After automatic implementation with Headers Security Advanced & HSTS WP, they protect you from the most notorious types of attacks your site might encounter. These headers protect against XSS, code injection, clickjacking, etc.
We have put a lot of effort into making the most important services operational with Content Security Policy (CSP), below are some examples that we have tested and used with Headers Security Advanced & HSTS WP:
CSP usage for Google Tag Manager
world’s most popular tag manager
Using CSP for Gravatar
Avatar service for WordPress and Social sites
Using CSP for WordPress Internal Media
support WordPress media
Using CSP for Youtube Embedded Video SDK
support Youtube embedded frames and JS SDK
CSP usage for CookieLaw
privacy technology to meet regulatory requirements
CSP usage for Mailchimp
support for Mailchimp automation, SDK and modules
CSP usage for Google Analytics
support for basic conversion domains such as: stats.g.doubleclick.net and www.google.com
CSP usage for Google Fonts
you’re not loading it on the page, chances are one of your SDKs is using it
Using CSP for Facebook
support Facebook SDK functionality
Using CSP for Stripe
highly secure online payment system
Using CSP for New Relic
it’s a registration and monitoring utility
Using CSP for Linkedin Tags + SDKs
support Linkedin Insight, Linkedin Ads and SDK
Using CSP for OneTrust
OneTrust support helps companies manage privacy requirements
CSP usage for Moat
Moat support to measurement suite such as: ad verification, brand safety, advertising and coverage
CSP usage for jQuery
support of jQuery – JS library
CSP usage for Twitter Widgets & SDKs
support Connect, Widgets and the Twitter client-side SDK
Using CSP for Google Maps
support Google Maps as The ggpht used by streetview
Using CSP for Quantcast Choice
Quantcast support for privacy such as GDPR and CCPA
CSP usage for Twitter Ads & Analytics
Twitter support for advertising and Analytics
Using CSP for Paypal
PayPal support for online payment system
Using CSP for Drift
Drift and Driftt support
CSP usage for Cookiebot
cookie and tracker support, GDPR/ePrivacy and CCPA compliance
CSP usage for Vimeo Embedded Videos SDK
support frames, JS SDK, Froogaloop integration
Using CSP for AppNexus (now Xandr)
AppNexus support for custom retargeting
Using CSP for Mixpanel
support analytics tool with SDK/JS to collect client-side data
Using CSP for Font Awesome
toolkit support for fonts and icons over CSS and Less
Using CSP for Google reCAPTCHA
reCAPTCHA support for fraud and bot protection
CSP usage for Bootstrap CDN
Bootstrap support for CSS frameworks
Using CSP for HubSpot
Hubspot support with many features, used for monitoring and mkt functionality
Using CSP for Hotjar
Hotjar tracker support for analytics and metrics
Using CSP for WP.com
support for wp.com hosting
Using CSP for Akamai mPulse
support for Akamai mPulse, for origin and perimeter integrations
CSP usage for Cloudflare – Rocket-Loader & Mirage
support for Mirage libraries for performance acceleration
Using CSP for Cloudflare – CDN.js
Cloudflare’s open CDN support with multiple libraries
Using CSP for jsDelivr
support jsDelivr free CDN for Open Source
Headers Security Advanced & HSTS WP is based on the OWASP CSRF standard to protect your wordpress site. Using the OWASP CSRF standard, once the plugin is installed, you can customize CSP rules for full CSRF mitigation. The site will be secure despite having other vulnerable plugins (CSRF).
Integration with Sentry, Report URI, URIports and Datadog
Sentry is a well-known platform for monitoring and tracking errors in applications. By integrating Sentry with our plugin, users can:
* Receive detailed reports on content security policy (CSP) violations.
* Monitor and analyze JavaScript exceptions occurring on their site.
* Benefit from advanced tools for proactive troubleshooting.
Monitoring and Integration with Sentry, Datadog and URI Reports for optimal security.
All Free Features
The Headers Security Advanced & HSTS WP version includes all the free features.
We have implemented FLoC (Federated Learning of Cohorts), using best practices. First, using Headers Security Advanced & HSTS WP prevents the browser from including your site in the “cohort calculation” on FLoC (Federated Learning of Cohorts). This means that nothing can call document.interestCohort() to get the FLoC ID of the currently used client. Obviously, this does nothing outside of your currently visited site and does not “disable” FLoC on the client beyond that scope.
Even though FLoC is still fairly new and not yet widely supported, as programmers we think that privacy protection elements are important, so we choose to give you the feature of being opt out of FLoC! We’ve created a special “automatic blocking of FLoC” feature, trying to always offer the best tool with privacy protection and cyber security as main targets and focus.
Analyze your site before and after using Headers Security Advanced & HSTS WP security headers are self-configured according to HTTP Security Headers and HTTP Strict Transport Security / HSTS best practices.
Check HTTP Security Headers on securityheaders.com
Check HTTP Strict Transport Security / HSTS at hstspreload.org
Check WebPageTest at webpagetest.org
Check HSTS test website gf.dev/hsts-test
Check CSP test website csper.io/evaluator
Check CSP Evaluator csp-evaluator.withgoogle.com
CSP Content Security Policy Generator addons.mozilla.org
This plugin is updated periodically, our limited support is free, we are available for your feedback (bugs, compatibility issues or recommendations for next updates). We are usually fast :-D.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「Headers Security Advanced & HSTS WP」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
trunk | 4.8.89 | 4.8.98 | 5.0.01 | 5.0.02 | 5.0.03 | 5.0.04 | 5.0.05 | 5.0.06 | 5.0.10 | 5.0.13 | 5.0.14 | 5.0.16 | 5.0.17 | 5.0.18 | 5.0.19 | 5.0.20 | 5.0.21 | 5.0.22 | 5.0.23 | 5.0.24 | 5.0.25 | 5.0.26 | 5.0.27 | 5.0.28 | 5.0.29 | 5.0.30 | 5.0.33 | 5.0.34 | 5.0.35 | 5.0.36 | 5.0.37 | 5.0.38 | 5.0.39 | 5.0.40 | 5.0.41 | 5.0.42 | 5.0.43 |
延伸相關外掛(你可能也想知道)
GD Security Headers 》此外掛程式可設定多項與安全相關的 HTTP 標頭,包括內容安全策略、功能策略、轉送者策略等,其中 CSP 和 XSS 控制外掛支援報告記錄功能,使用兩個額外的資料...。
Content Security Policy Manager 》Content Security Policy Manager 是一個 WordPress 外掛,允許您輕鬆配置網站內容安全政策標頭。您可以為管理介面、已登入使用者的前端和常規訪客的前端設定...。
WP Content Security Plugin 》內容安全策略 (Content Security Policy, CSP) 是 W3C 的一項指導方針,旨在防止跨站腳本 (Cross-site scripting, XSS) 等攻擊。XSS 允許其他人在您的網站上...。
No unsafe-inline 》內容安全策略(Content Security Policy, CSP)是一種計算機安全標準,旨在防止跨站腳本(XSS)、點擊劫持及其他代碼注入攻擊,在信任的網頁上下文中執行惡意內容...。
CSP-ANTS&ST 》為了讓你的網站完全安全,你必須避免在你的內容安全政策標頭中使用 ‘unsafe-eval’ 和 ‘unsafe-inline’。, 這個外掛會在 script/styl...。
Sentinel Headers Unlimited Extension 》中文翻譯, Sentinel Headers Unlimited Extension 是一個最佳的免費插件,適用於所有 WordPress 使用者。如果停用此插件,您的網站配置將恢復到之前的狀態。,...。
SeaSP Community Edition 》SeaSP社群版是一個自動化的內容安全性政策管理器。SeaSP允許您為您的網站創建、配置、管理和部署內容安全政策。, WordPress SeaSP社群版外掛會記錄出現在您網...。
Headit 》這個外掛提供了在網站回應中添加 HTTP headers 的簡單方式。, 這些 headers 可以包括您的應用程式特定的自訂 headers,或者是安全相關的 headers。您可能希望...。
GDPR Helper using CSP 》透過阻擋所有第三方請求,輕鬆遵守歐盟 GDPR。, 此插件的目標是盡可能簡單地阻擋所有不需要的請求,透過設置一般內容安全性政策實現。, 此外,此插件也支援某...。
WordSentinel 》總結: WordSentinel WordPress 外掛強化您的網站安全性,可設定 HTTP 安全標頭,並提供兩個知名服務的安全評分:Mozilla Observatory 及 Qualys SSL Labs。, ...。