Custom HTTP Headers (nginx, WordPress)

If you have a website and you are not implementing some custom headers you may want to look into it. These are not set by default and can help in protecting your site from all types of attacks.

To start with go to and scan your site. If you have none of these headers implemented your site will score very poorly. Don’t forget with these headers we aren’y only protecting our site, but also our site visitors as well.

The ones we are going to look at are for protecting against Cross-Site-Scripting, malicious content, drive-by downloads, and stop your site being viewed in an iframe.  We will also stop the site advertising Server and software details, for example the Server build, and php version. The reason for this is not covered here but if you are intersted you can go here and read this brilliant  article by @Scott_Helme.

For today we will be concetrating on WordPress installed on LEMP stack. Firstly we need to backup our config, and then go to our active config file. (yours may be different depending on your setup). Also note that the Strict Transport Security header is for https sites only.

sudo nano /etc/nginx/sites-enabled/wordpress

Then in our http server block we add the following. ( if using https on your site then put the headers in both blocks.

add_header X-Frame-Options "SAMEORIGIN";

add_header Content-Security-Policy "default-src";

add_header X-Xss-Protection "1; mode=block";

add_header X-Content-Type-Options "nosniff";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

server_tokens off;

You can see the layout in the screenshot.

We save the changes then run the following to test for typo’s.

sudo nginx -t


sudo service nginx restart

Finally we go change a setting in the php.ini file for our version to disable version broadcast.

sudo nano /etc/php5/fpm/php.ini

We need to change

expose_php = on


expose_php = off

Save and close the file and restart php

sudo service php5-fpm restart

To check all this is working correctly go back to Security Headers and check your site again. Your sites rating should be significantly better.