內容簡介
TLS 正在變得越來越複雜。服務器名稱指示 (SNI) 現在意味著 HTTPS 網站可以使用共享 IP 地址,或以其他方式受到限制。對於這些服務器,能夠在沒有訪問 Web 服務器配置或使用 .htaccess 文件的情況下設置所需的 HTTP 標頭非常方便。
此外掛程序提供以下控制選項:
HSTS(Strict-Transport-Security)
HPKP(Public-Key-Pins)
禁用內容嗅探(X-Content-Type-Options)
XSS 防護(X-XSS-Protection)
點擊劫持防護(主站 X-Frame-Options)
Expect-CT
HSTS 用於確保未來對網站的所有連接都使用 TLS,並禁止繞過該網站的證書警告。
如果您不想僅依靠證書授權模型來進行證書發行,可以使用 HPKP。
禁用內容嗅探通常適用於允許用戶上傳具有特定類型的文件的網站,但瀏覽器可能會愚蠢地將其解釋為其他類型,進而可能造成意外攻擊。
XSS 保護重新啟用網站的 XSS 保護,如果用戶先前已禁用它,並設置“阻止”選項,以便攻擊不會被靜默忽略。
點擊劫持防護通常僅在有用戶登錄的情況下才會有用,但如果用戶請求,則可能有豐富的 WordPress 身份驗證之外的內容需要保護。
使用 Expect-CT,可以確保正確配置了證書透明度。
外掛標籤
開發者團隊
📦 歷史版本下載
原文外掛簡介
TLS is growing in complexity. Server Name Indication (SNI) now means HTTPS sites may be on shared IP addresses, or otherwise restricted. For these servers it is handy to be able to set desired HTTP headers without access to the web servers configuration or using .htaccess file.
This plug-in exposes controls for:
HSTS (Strict-Transport-Security)
HPKP (Public-Key-Pins)
Disabling content sniffing (X-Content-Type-Options)
XSS protection (X-XSS-Protection)
Clickjacking mitigation (X-Frame-Options in main site)
Expect-CT
HSTS is used to ensure that future connections to a website always use TLS, and disallowing bypass of certificate warnings for the site.
HPKP is used if you don’t want to rely solely on the Certificate Authority trust model for certificate issuance.
Disabling content sniffing is mostly of interest for sites that allow users to upload files of specific types, but that browsers might be silly enough to interpret of some other type, thus allowing unexpected attacks.
XSS protection re-enables XSS protection for the site, if the user has disabled it previously, and sets the “block” option so that attacks are not silently ignored.
Clickjacking protection is usually only relevant when someone is logged in but users requested it, presumably they have rich content outside of WordPress authentication they wish to protect.
Expect-CT is used to ensure Certificate Transparency is configured correctly.
