Skip to content

Feature/security headers#21

Merged
brettsmason merged 12 commits into
mainfrom
feature/security-headers
Nov 17, 2025
Merged

Feature/security headers#21
brettsmason merged 12 commits into
mainfrom
feature/security-headers

Conversation

@DanielHudson2

@DanielHudson2 DanielHudson2 commented Aug 14, 2025

Copy link
Copy Markdown
Member

Added an action for wp_headers to set security headers

For now have only added a basic default 'X-Frame-Options' = 'SAMEORIGIN' to prevent click jacking @edjeavons could do with some input on others from a server side perspective

This came from checking the security headers on the eighteen73 site https://securityheaders.com/?q=https%3A%2F%2Feighteen73.co.uk

Also added a filter so this can be overridden on a per site basis if needed

@DanielHudson2 DanielHudson2 added the enhancement New feature or request label Aug 14, 2025
brettsmason
brettsmason reviewed Aug 19, 2025
View reviewed changes

@brettsmason brettsmason left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. My only comment is should we have a filter to enable/disable the same as others, eg orbit_enable_security_headers. I'll leave Ed to comment on what the defaults should be.

@edjeavons

edjeavons commented Aug 19, 2025

Copy link
Copy Markdown
Member

This is a really good idea, thanks @DanielHudson2

I've added some additional suggestions for the default header set. We'll need to give Content-Security-Policy a little thought to consider what's safe because I've definitely had problems trying to jump directly to generalised rules with that before.

I've added a is_ssl() check around the Strict-Transport-Security header to ensure it doesn't harm websites before devs are ready for it, but you and @brettsmason might a preferred way to test for whether or not requests are using SSL.

@brettsmason

brettsmason commented Oct 13, 2025

Copy link
Copy Markdown
Member

@edjeavons Could we have a catch up on this at some point to try and get this through?

@DanielHudson2 DanielHudson2 marked this pull request as draft October 30, 2025 09:52
@edjeavons
Set Cache-Control by default
b95da94 
This is expected for PCI tests
@edjeavons
Typo correction in Headers.php
3435d8c
@edjeavons
Use a more permissive CSP by default
10f5d2d 
This can be considered a placeholder for websites to customise based on their own needs.
@DanielHudson2 DanielHudson2 marked this pull request as ready for review November 14, 2025 12:09
edjeavons
edjeavons approved these changes Nov 15, 2025
View reviewed changes

@edjeavons edjeavons left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've refined a couple of things and tested it on a website. It's OK to merge as soon as you're ready.

@brettsmason brettsmason merged commit 9b86e0f into main Nov 17, 2025
@DanielHudson2 DanielHudson2 deleted the feature/security-headers branch November 17, 2025 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brettsmason brettsmason brettsmason left review comments

@edjeavons edjeavons edjeavons approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DanielHudson2 @edjeavons @brettsmason