What exactly does the system setting “set_header” enable? Which exact headers are sent? Is there some way to edit them? I’d like to add security headers.
If the system setting set_header
is set to Yes
, then some headers are sent with the response.
These seem to be Content-Type
, Cache-Control
, Content-Disposition
and Vary
:
It looks like additional headers can be set in the content type. If you go to “Content” → “Content Types” and edit a type, there exists a tab “Custom headers”.
Alternatively it’s probably possible to add additional headers in a custom plugin.
@snowcreative are you asking about Content Security Policy headers or some other type of headers? If CSP, Mat has made this: About CSPect | CSPect
If other types of headers, feel free to expand or explain.
Yes, CSP, but also others (STS, X-Frame-Options, etc).
UPDATE:
I manage these using .htaccess on other sites and it works fine. For the site in question here, there seems to be something about the way PHP is set up that is stripping out these headers unless they are set at the server level. Straight .html files pull the headers from .htaccess, but every php file, even very simple ones, don’t.
The CSPect plugin is very cool, but it also doesn’t work on this site. The headers don’t get sent by the server.
The hosting company fixed the problem with .htaccess, so I can use that now. Thanks for the info though, didn’t know I could use Content Types to add headers. I may use that for certain sites.
I didn’t know this either - handy info