Title: Security Headers Author: SimonRWaters Published: 2015 年 4 月 10 日 Last modified: 2019 年 2 月 26 日 --- 搜尋外掛 ![](https://ps.w.org/security-headers/assets/banner-772x250.png?rev=1467219) 這個外掛**並未在最新的 3 個 WordPress 主要版本上進行測試**。開發者可能不再對這個 外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。 ![](https://ps.w.org/security-headers/assets/icon-128x128.png?rev=1467219) # Security Headers 由 [SimonRWaters](https://profiles.wordpress.org/simonrwaters/) 開發 [下載](https://downloads.wordpress.org/plugin/security-headers.zip) * [詳細資料](https://tw.wordpress.org/plugins/security-headers/#description) * [使用者評論](https://tw.wordpress.org/plugins/security-headers/#reviews) * [安裝方式](https://tw.wordpress.org/plugins/security-headers/#installation) * [開發資訊](https://tw.wordpress.org/plugins/security-headers/#developers) [技術支援](https://wordpress.org/support/plugin/security-headers/) ## 外掛說明 TLS is growing in complexity. Server Name Indication (SNI) now means HTTPS sites may be on shared IP addresses, or otherwise restricted. For these servers it is handy to be able to set desired HTTP headers without access to the web servers configuration or using .htaccess file. This plug-in exposes controls for: * HSTS (Strict-Transport-Security) * HPKP (Public-Key-Pins) * Disabling content sniffing (X-Content-Type-Options) * XSS protection (X-XSS-Protection) * Clickjacking mitigation (X-Frame-Options in main site) * Expect-CT HSTS is used to ensure that future connections to a website always use TLS, and disallowing bypass of certificate warnings for the site. HPKP is used if you don’t want to rely solely on the Certificate Authority trust model for certificate issuance. Disabling content sniffing is mostly of interest for sites that allow users to upload files of specific types, but that browsers might be silly enough to interpret of some other type, thus allowing unexpected attacks. XSS protection re-enables XSS protection for the site, if the user has disabled it previously, and sets the “block” option so that attacks are not silently ignored. Clickjacking protection is usually only relevant when someone is logged in but users requested it, presumably they have rich content outside of WordPress authentication they wish to protect. Expect-CT is used to ensure Certificate Transparency is configured correctly. ## 安裝方式 1. Upload “security_headers.php” to the “/wp-content/plugins/” directory. 2. Activate the plugin through the “Plugins” menu in WordPress. ## 使用者評論 ![](https://secure.gravatar.com/avatar/7514e96f5f92c51058b91eb215e4221897eaabdc64e6f005e9a00c9f64d68bd2? s=60&d=retro&r=g) ### 󠀁[Incompatible with Tawk.to](https://wordpress.org/support/topic/incompatible-with-tawk-to/)󠁿 [krsi78](https://profiles.wordpress.org/krsi78/) 2020 年 5 月 14 日 Just a quick warning: if you enable this plugin, the Tawk.to widget is no longer displayed in Chrome, Firefox and Safari. Edge is not affected (yet?). ![](https://secure.gravatar.com/avatar/e8289bcbef3b84e15978ecd7d61b7e5a670205ed893f46dd1619f72c5f19c2a7? s=60&d=retro&r=g) ### 󠀁[Perfect](https://wordpress.org/support/topic/perfect-5823/)󠁿 [flch](https://profiles.wordpress.org/flch/) 2019 年 2 月 11 日 Works great and makes security much easier. Thanks for this great plugin! ![](https://secure.gravatar.com/avatar/7709bddfa73a181bf2248fb13474e8ef164638a2c4b1296948929c1fe190826e? s=60&d=retro&r=g) ### 󠀁[handles these security points no one else does](https://wordpress.org/support/topic/handles-these-security-points-no-one-else-does/)󠁿 [tone_milazzo](https://profiles.wordpress.org/tone_milazzo/) 2018 年 6 月 21 日 My topic can’t be empty so I’m writing this to fill it. ![](https://secure.gravatar.com/avatar/58d4f86f8302099fc2ca5d2da21b7e161c5de34ecf7039b6be33ec11a2f75d35? s=60&d=retro&r=g) ### 󠀁[Excellent](https://wordpress.org/support/topic/excellent-5036/)󠁿 [bozon](https://profiles.wordpress.org/bozon/) 2017 年 6 月 19 日 2 則留言 Works really well! Tested with [link removed] For the future releases it would be good to include Content-Security-Policy and the forthcoming Expect-CT options. ![](https://secure.gravatar.com/avatar/b063142a541de8a7f5fa3c3a6d2f1d789c76757429e1564817db69b7c9006f89? s=60&d=retro&r=g) ### 󠀁[Perfect](https://wordpress.org/support/topic/perfect-4081/)󠁿 [WebBever](https://profiles.wordpress.org/webbever/) 2017 年 5 月 26 日 Easy to use, works like a charm! ![](https://secure.gravatar.com/avatar/182886ecc0bf0de1ef7617aba1c0234a9b6d40f9d46c7e437399746ae2c4c619? s=60&d=retro&r=g) ### 󠀁[Excellent plugin, easy to use.](https://wordpress.org/support/topic/excellent-plugin-easy-to-use-5/)󠁿 [tjdurden](https://profiles.wordpress.org/tjdurden/) 2016 年 9 月 3 日 1 則留言 Thanks for this. Very easy to install and configure. [ 閱讀全部 8 則使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/) ## 參與者及開發者 以下人員參與了開源軟體〈Security Headers〉的開發相關工作。 參與者 * [ SimonRWaters ](https://profiles.wordpress.org/simonrwaters/) * [ Simon Waters ](https://profiles.wordpress.org/simon-waters/) [將〈Security Headers〉外掛本地化為台灣繁體中文版](https://translate.wordpress.org/projects/wp-plugins/security-headers) ### 對開發相關資訊感興趣? 任何人均可[瀏覽程式碼](https://plugins.trac.wordpress.org/browser/security-headers/)、 查看 [SVN 存放庫](https://plugins.svn.wordpress.org/security-headers/),或透過 [RSS](https://plugins.trac.wordpress.org/log/security-headers/?limit=100&mode=stop_on_copy&format=rss) 訂閱[開發記錄](https://plugins.trac.wordpress.org/log/security-headers/)。 ## 變更記錄 #### 1.1 Fix missing close anchor which breaks recent WordPress #### 1.0 Add support for wp-login.php page Add support for Expect-CT header #### 0.9 Removed unnecessary whitespace in HSTS header (thanks Thomas) Added Referrer-Policy header Corrected plugins name from “HTTP Headers” to “Security Header” (thanks Jamie) Removed trailing semi-colon from X-XSS-Protection (it worked but not needed) #### 0.8 Add headers to admin section of WordPress Added option to set the X-Frame-Options headers to main site Added HSTS Preload header (thanks to Jamie) #### 0.7 Add report-uri Fix handling of non-numeric blank strings for HPKP max-age #### 0.6 HPKP support Check for TLS before emitting HSTS or HPKP headers #### 0.5 Change h2 for h1 for accessibility per #31650 #### 0.4 License change Clarify wording for XSS protection in readme #### 0.3 Prepare for release #### 0.2 Added Sonarqube file and formatting changes #### 0.1 * Initial release. ## 中繼資料 * 版本 **1.1** * 最後更新 **7 年前** * 啟用安裝數 **3,000+** * WordPress 版本需求 ** 3.8.1 或更新版本 ** * 已測試相容的 WordPress 版本 **5.1.22** * PHP 版本需求 ** 5.6 或更新版本 ** * 語言 * [English (US)](https://wordpress.org/plugins/security-headers/) * 標籤: * [hsts](https://tw.wordpress.org/plugins/tags/hsts/)[https](https://tw.wordpress.org/plugins/tags/https/) [nosniff](https://tw.wordpress.org/plugins/tags/nosniff/)[tls](https://tw.wordpress.org/plugins/tags/tls/) * [進階檢視](https://tw.wordpress.org/plugins/security-headers/advanced/) ## 評分 5 星,滿分為 5 星 * [ 8 個 5 星使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/?filter=5) * [ 0 個 4 星使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/?filter=4) * [ 0 個 3 星使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/?filter=3) * [ 0 個 2 星使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/?filter=2) * [ 0 個 1 星使用者評論 ](https://wordpress.org/support/plugin/security-headers/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/security-headers/reviews/#new-post) [查看全部使用者評論](https://wordpress.org/support/plugin/security-headers/reviews/) ## 參與者 * [ SimonRWaters ](https://profiles.wordpress.org/simonrwaters/) * [ Simon Waters ](https://profiles.wordpress.org/simon-waters/) ## 技術支援 使用者可在技術支援論壇提出意見反應或使用問題。 [檢視技術支援論壇](https://wordpress.org/support/plugin/security-headers/)