Why does WordFence not include security headers?

  • Resolved bruceleebee

    (@bennygill)


    6 years, 11 months ago

    After doing a security audit at securityheaders.io I was very concerned to learn that I did not have any of these headers set, which I thought was covered by WordFence in the htaccess file.

    Is there a reason you have left out this layer of security?

    • This topic was modified 6 years, 11 months ago by bruceleebee.
Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi,
    Currently there is no option in the plugin to include these header in “.htaccess” file, setting these headers will vary depending on many factors like which domains you want to allow loading resources from, which types of scripts you allow, etc.., so it will be very challenging feature to come up with a solution that supports all the customization needed without breaking others on different server environments.

    I recommend checking this guide while setting them and carefully choose the options that suit your project, as I’m pretty sure there is no one easy fix for this issue that will work on all users sites out of the box.

    Thanks.

    @wfalaa excellent!

    Is there a way to monitor vulnerable headers being abused either probed on the server?
    I have a hard time to convince a sysadmin such a hardening is needed.

    Thanks again.

    Scanning with any of the tools available online like the one you mentioned in this thread should be helpful to detect such an issue, however human intervention is necessary when you see something that is misconfigured.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Why does WordFence not include security headers?’ is closed to new replies.