Answer the question
In order to leave comments, you need to log in
A
A
airbor2021-12-17 19:39:33
airbor, 2021-12-17 19:39:33
Why are these security headers needed?
In the WordPress admin panel:
Your website does not send all recommended security headers.
Upgrade Insecure Requests
X-XSS protection
X-Content Type Options
Referrer-Policy
X-Frame-Options
Permissions-Policy
HTTP Strict Transport Security
Does this really make sense, what does it affect?
1 answer(s)
@airbor
A
Alexander Falaleev, 2021-12-17 @airbor
Everything is perfectly googled - there is no point in doing it for you.
The only thing is that X-XSS protection is no longer needed because:
a) it is outdated and unnecessary for the main modern browsers
b) theoretically (within the margin of error) it can be harmful to users of the Safari browser.
If configuration requests blocking when XSS attacks are detected, which is potentially dangerous as it allows attackers to selectively disable portions of JavaScript code. The only safe approach is to explicitly disable browser-based XSS protection.
Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari ships browser with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality.
Similar questions
S
J
@
A
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question