Security Headers: Site Booster Module

The Ocean Site Booster's Security Headers module enables you to control security headers (HSTS, Content Security Policy, Cross Origin Embedder Policy and others) on your website and automatically apply specific security rules via your website's .htaccess file.

The Security Headers feature is available as of Site Booster 1.2.0 version.

To enable Security Headers features, toggle to enable the module.

Enable (or disable) any option you would like to use, then save changes at the bottom of the module page.

Available Security Headers options include:

• Disable HSTS Header,
  • HSTS Max-Age,
  • HSTS Include Subdomains,
  • HSTS Preload,
• Content Security Policy (CSP),
• Report URI,
• Disable Permissions Policy Header,
  • Permissions Policy,
• Disable X-Frame-Options Header,
  • X-Frame-Options,
• Disable X-Content-Type-Options Header,
• Cross-Origin-Embedder-Policy (COEP),
• How to Create a Website Security Policy.

Disable HSTS Header

Disable HSTS Header option allows you to disable the default HSTS (HTTP Strict Transport Security) header if you don’t want browsers forced to HTTPS.

No Strict-Transport-Security header is sent. Browsers can access your site over HTTP if you have mixed-content needs or testing scenarios.

When this option is enabled, ie. you've disabled HSTS header, none of the HSTS-related options will function (HSTS Max-Age, HSTS Include Subdomains, HSTS preload).

HSTS Max-Age

HSTS Max-Age option allows you to define the max-age directive in the HSTS header, specifying how long browsers should enforce HTTPS-only.

Browsers that support HSTS will remember to load your site over HTTPS for the number of seconds you specify. A higher value increases security but requires you to maintain HTTPS.

HSTS Include Subdomains

HSTS Include Subdomains option allows you to enable the includeSubDomains directive, making HSTS apply to all subdomains of your site.

When enabled, browsers enforce HTTPS for both your main domain and any subdomains you host - strengthening overall security across sub-sites.

HSTS Preload

HSTS Preload option allows you to add the preload directive to your HSTS header, allowing your domain to be included in browser preload lists (e.g., chromium.org/hsts).

Once you submit your domain for HSTS preload and meet the requirements, browsers will always load your site over HTTPS - never HTTP - immediately after installation.

You can apply your website URL for HSTS Preload here: https://hstspreload.org/ (ensure to have all requirements in place before submitting application).

Content Security Policy (CSP)

Content Security Policy (CSP) option allows you to define a Content Security Policy header that restricts where scripts, styles, images, and other resources can be loaded from.

Browsers enforce the CSP you set, blocking any resources not on your approved list. This can significantly reduce XSS, data injection, and other code-injection attacks.

Report URI

Report URI option allows you to specify an URL where browsers can send reports when a CSP violation occurs.

Whenever a browser detects a CSP violation (e.g., a script from an unauthorized domain), it sends a JSON report to the URI you specify, helping you debug and tighten your policy.

Disable Permissions Policy Header

Disable Permissions Policy Header allows you to remove the Permissions-Policy header from responses. Permissions Policy was previously known as Feature-Policy.

No Permissions-Policy header will be sent, meaning you lose fine-grained control over which browser features (camera, microphone, geolocation, etc.) pages can use.

Permissions Policy

Permissions Policy option allows you to configure a Permissions-Policy header, specifying which browser features are allowed or denied.

Browsers will enforce your chosen permissions rules (e.g., disallowing third-party iframes from using the microphone). This can mitigate privacy risks.

Disable X-Frame-Options Header

Disable X-Frame-Options Header option allows you to stop sending the X-Frame-Options header, which normally prevents your site from being displayed in an <iframe>.

No X-Frame-Options header is present, meaning any other domain can embed your site in an iframe - useful for testing or trusted embedders, but it removes clickjacking protection.

X-Frame-Options

X-Frame-Options option allows you to set the X-Frame-Options header to either DENY, SAMEORIGIN, or a specific allowed domain.

Browsers enforce your chosen framing rule. For example, SAMEORIGIN prevents other domains from embedding your site, but still allows internal iframes.

Disable X-Content-Type-Options Header

Disable X-Content-Type-Options Header allows you to remove the X-Content-Type-Options: nosniff header that prevents MIME type sniffing.

Without nosniff, some browsers might try to guess a resource’s MIME type. This can break certain security controls and allow content-type attacks, but may be needed for legacy setups.

Cross-Origin-Embedder-Policy (COEP)

Cross-Origin-Embedder-Policy (COEP) option allows you to addor configures the Cross-Origin-Embedder-Policy header to control whether your site can request or embed certain cross-origin resources.

If you set require-corp, for example, documents on your site can only load resources (scripts, images) from origins that explicitly grant permission. This is a key step toward enabling powerful features like SharedArrayBuffer.

How to Create a Website Security Policy

Creating a proper website security policy is a challenge, even for professionals in this field.

While we're unable to provide you with a step-by-step tutorial (each website is different), we wanted to share a few resources and tips that will help you apply the best policies that will fit your website.

First things first - we recommend that you finish your website in full (all functionality is finished, especially if you're running an eCommerce website) and then move on to applying content security headers.

The most easiest and beginner-friendly way is to use browser extension tools, that will help you scan your website page by page, and help create adequate policies based on your site's content and functionality:

• CSP Content Security Policy Generator for Edge.
• Content Security Generator for Chrome and Firefox.

We advise to check user documentation on how these browser extensions work.

You can easily apply finished reports and recommendations within your Site Booster Security Headers options where applicable.

Additional resources for better understanding of CSP:

• Content Security Headers Guide by Mozilla,
• Content Security Policy Cheat Sheet by OWASP.

Website scanner tools:

• Security Headers,
• CSP Evaluator.

Enjoy tightening your website security with OceanWP and Site Booster.

That's it!

Boost your WordPress website on all levels with OceanWP and Ocean Site Booster.