Introduction

Browsers & Web Standards, Security Tools

This Joomla Plugin implements an UI Layer for the HTTP Security headers so everyone can set and configure them from the backend.


HttpHeader Plugin

Features

This Joomla Plugin helps you to set the following HTTP Security Headers.
- Strict-Transport-Security
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy
- Expect-CT
- Feature-Policy
- Permissions-Policy

This plugin also comes with some easy defaults for:
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy

Note: If you have configured some HTTP Security Headers directly on the server, then this Plugin might create double entries.

Check the output of your HTTP headers after configuring this HTTP Security Headers Plugin. In Google Chrome: Inspect > Network > the output under Headers).
In this Plugin you can disable the settings that cause double entries. Also check the Console of your browser for possible errors.

Configuration

Initial setup the plugin

Now the inital setup is completed and you can start configure the headers.

Default Headers

Please note that by default the following headers und values are set:
X-Frame-Options: SAMEORIGIN
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
X-XSS-Protection: 1; mode=block
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
X-Content-Type-Options: nosniff
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
Referrer-Policy: no-referrer-when-downgrade
More Infos: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

You can allways choose to disable or change the value for one of those by changing the plugin configuration.

Option descriptions

Force HTTP Header

Using this you can set different values from the default ones and also force headers. The supported headers are:
- Strict-Transport-Security
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy
- Expect-CT
- Feature-Policy
- Cross-Origin-Opener-Policy
- Permissions-Policy

Here you can also decide whether the header is applyed only to the frontend and or only the backed or both sites.

HTTP Strict Transport Security (HSTS)

This option activates 'Strict Transport Security' and allows the configuration of the value of that header including Include subdomains, Maximum registration time (max-age) and Preload.

HSTS means that your domain can no longer be called without HTTPS. Once added to the preload list, this is not easy to undo. Domains can be removed, but it takes months for users to make a change with a browser update. This option is very important to prevent 'man-in-the-middle attacks', so it should be activated in any case, but only if you are sure that HTTPS is fully supported for the domain and all subdomains in the long run! The value for 'maximum registration time' must be set to 63072000 (2 years) for recording.

Content Security Policy (CSP)

With this option the Content-Security-Policy rule can be set individually including an dedicated subform for the the different directives as well as setting the rules in Report-Only mode.

Update Server

Please note that my update server only supports the latest version running the latest version of Joomla and atleast PHP 7.0.
Any other plugin version I may have added to the download section don't get updates using the update server.

Issues / Pull Requests

You have found an Issue, have a question or you would like to suggest changes regarding this extension?
Open an issue in this repo or submit a pull request with the proposed changes.

Translations

You want to translate this extension to your own language? Check out my Crowdin Page for my Extensions for more details. Feel free to open an issue here on any question that comes up.

This plugin is translated into the following languages:
- de-DE by @zero-24
- en-GB by @zero-24 & @brianteeman
- fr-FR by @Sandra97 & @YGomiero
- it-IT by @jeckodevelopment
- nl-NL by @pe7er

Beyond this repo

This plugin has been included in the Joomla Core (joomla/joomla-cms#18301) and will be part of the upcomming 4.0 Release. Please note that the core the plugin has been renamed to plgsystemhttpheaders (extra s) and extended by the new com_csp component for to core distribution.

Special Thanks

David Jardin - @snipersister - https://www.djumla.de/ & Yves Hoppe - @yvesh - https://compojoom.com/

For giving me the inspiration for the plugin and their feedback on the actual implementation. Thanks :+1:

Functionality
Does exactly what is expected, and makes it simple to apply security response headers.
Ease of use
Straight forward, once you remember to clear cache after adding and enabling extension.
Support
Great responded to my questions very quickly. The platform for support is clunky.
Documentation
Straight forward and to the point - you do need a little knowledge of http security headers.
I used this to: Improving creating security response headers on all joomla 3 web sites.
Functionality
Is able to set all headers to give you a good score at securityheaders com
Ease of use
If you know what you are doing it is super easy to use. You need to read up about security headers beforehand though!!!
I used this to: All websites I am administering. And they all got an A or A+ score on securityheaders com now
Owner's reply: Thanks for your positive review. Yes I have tried to include a bit of documentation in the plugin and in the readme too but when you want to go beyond the default headers some knowledge about the headers are needed.
Functionality
This plugin hardens the HTTP Security Headers (X-XSS-Protection, Strict-Transport-Security, Content-Security-Policy).
Ease of use
Installation is easy. It uses some easy defaults. Be careful with configuring the Content Security Policy: the admin uses some JavaScript.
Support
I have not needed any support. The plugin has its own public github repository where you can create an issue in case you find any.
Documentation
Excellent documentation that explains all its settings and refers to existing documentation about "Hardening your HTTP response headers".
I used this to: This plugin will be in the Joomla 4 core! On my Joomla 3.9 websites I use it to harden the HTTP Security Headers (improve how strict https will be enforced by your visitor's browser).
Owner's reply: Thanks for this review Peter. The docs has been even more improved with your suggestions thanks for that!
AdvancedRedirect
Free

AdvancedRedirect

By Tobias Zulauf
URL Redirection
AdvancedRedirect Plugin This plugin is based on the Joomla Core Redirect Plugin and acts as a so-called drop in replacement for the Core Plugin. In addition to the Joomla Core Plugin, it allows you to define your own derivation rules. Configuration Initial setup the plugin Download the latest version of the plugin Install the plugin using Upload & Install Disable the core System - Redirec...
PrivacyCheckbox
Free

PrivacyCheckbox

By Tobias Zulauf
Custom Fields
PrivacyCheckbox Plugin This Joomla plugin lets you create new fields of type 'privacycheckbox' in any extensions where custom fields are supported. Feature This plugin allows you to creates a single checkbox field in any form that supports custom fields e.g. in the contact form where you can make sure the privacy message is checked. But this also allow any other single checkbox usecase. Over th...
FetchMetadata
Free

FetchMetadata

By Tobias Zulauf
Security Tools
FetchMetadata Plugin This Joomla Plugin helps to protect your sites by using Fetch Metadata Request Headers (w3c-spec) Features This Joomla Plugin helps to protect your sites by using Fetch Metadata Request Headers The implemened rules are: - Step 1: Allow requests from browsers which don't send Fetch Metadata - Step 2: Allow same-site and browser-initiated requests - Step 3: Allow simple top-...
Force2faUsergroup
Free

Force2faUsergroup

By Tobias Zulauf
Security Tools
Force2faUsergroup Plugin This plugin allows to force users to set up 2FA in a specific user group. Features This plugin allows to force users to set up 2FA in a specific user group. Setup the groups to force a 2FA setup on the next login. Configuration Initial setup the plugin Download the latest version of the plugin Install the plugin using Upload & Install Enable the plugin System...
ImageLazyloading
Free

ImageLazyloading

By Tobias Zulauf
Images
ImageLazyloading Plugin This Joomla Plugin sets the lazyloading attribute to images. Features This Joomla Plugin sets the lazyloading attribute to all images that passes the onContentPrepare Event to allow modern browsers to lazyload the images. More information about the loading attribute: - Description: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-loading. - HTML Specif...
CustomCSS
Free

CustomCSS

By Tobias Zulauf
Templating
CustomCSS Plugin This Joomla plugin lets you load a custom.css / custom.min.css when the template does not support that out of the box. Thanks for your support! Feature This plugin checks whether a custom.css (or custom.min.css) file exists at /templates/"templatename"/css or /administrator/templates/"templatename"/css. If present, it will be loaded to the site. - With a custom.css you can ove...
AntiSpamExtended
Free

AntiSpamExtended

By Tobias Zulauf
Access & Security
AntiSpamExtended Plugin This Joomla Plugin implements an additional Anti-spam Protection Layer to your Joomla Contact Forms by allowing you to block any non ascii chars or banned words / chars Features This Joomla Plugin allows you to protect you joomla contact form by allowing you to: - block any non ascii chars - whitelist allowed non-ascii chars - maintain a blacklist of not allowed words /...
MyDocsLanguage
Free

MyDocsLanguage

By Tobias Zulauf
Content Links
MyDocsLanguage Plugin This Joomla plugin automatically adds the Special:MyLanguage tag for docs.joomla.org links if needed Feature This plugin runs onContentBeforeSave and makes sure that all links to docs.joomla.org contain the Special:MyLanguage tag for translation. Configuration Initial setup the plugin Download the latest version of the plugin Install the plugin using Upload & Insta...
GitDeploy
Free

GitDeploy

By Tobias Zulauf
Site Management
GitDeploy Plugin This plugin allows to automaticly deploy changes from a git repo and is based on KickDeploy Features This plugin allows to listen on github hooks and than deploy changes from a git repo. Configuration Initial setup the plugin Download the latest version of the plugin Install the plugin using Upload & Install Enable the plugin System - GitDeploy from the plugin manager R...

HttpHeader

Version:
1.0.15
Developer:
Tobias Zulauf
Last updated:
Jan 18 2022
3 months ago
Date added:
Mar 23 2020
License:
GPLv2 or later
Type:
Free download
Includes:
p
Compatibility:
J3 J4
Download

Uses Joomla! Update System

Score:


Write a review