If you have a website and you are not implementing some custom headers you may want to look into it. These are not set by default and can help in protecting your site from all types of attacks.
To start with go to https://securityheaders.io/ and scan your site. If you have none of these headers implemented your site will score very poorly. Don’t forget with these headers we aren’y only protecting our site, but also our site visitors as well.
The ones we are going to look at are for protecting against Cross-Site-Scripting, malicious content, drive-by downloads, and stop your site being viewed in an iframe. We will also stop the site advertising Server and software details, for example the Server build, and php version. The reason for this is not covered here but if you are intersted you can go here and read this brilliant article by @Scott_Helme.
For today we will be concetrating on WordPress installed on LEMP stack. Firstly we need to backup our config, and then go to our active config file. (yours may be different depending on your setup). Also note that the Strict Transport Security header is for https sites only.
sudo nano /etc/nginx/sites-enabled/wordpress
Then in our http server block we add the following. ( if using https on your site then put the headers in both blocks.
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src yoursite.com";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
You can see the layout in the screenshot.
We save the changes then run the following to test for typo’s.
sudo nginx -t
sudo service nginx restart
Finally we go change a setting in the php.ini file for our version to disable version broadcast.
sudo nano /etc/php5/fpm/php.ini
We need to change
expose_php = on
expose_php = off
Save and close the file and restart php
sudo service php5-fpm restart
To check all this is working correctly go back to Security Headers and check your site again. Your sites rating should be significantly better.