Implement HTTP Security Headers on your Joomla Website

HTTP Security Headers are HTTP response headers that define if security precautions should be activated or deactivated on a web browser. HTTP security headers are a fundamental part of website security protecting your website against attacks like clickjacking, code injection, MIME types, and XSS, etc.

By simply adding the following headers you can improve your website security dramatically;

Content Security Policy header (CSP)
The HTTP Content Security Policy response header restricts the resources allowed to load within a website efectively whitelisting content sources on your website.

Cross Site Scripting Protection header (X-XSS)
The X-XSS header protects against Cross-Site Scripting attacks preventing a page from loading when it detects a cross-site scripting attack.

HTTP Strict Transport Security header (HSTS)
Many website owners have installed an SSL/TLS certificate and migrated from HTTP to HTTPS which is great but there's an additional step that is often overlooked.

Many websites that are migrated to HTTPS are still available over HTTP which defeats the object.

This is where HSTS enters the equation, if a site is equipped with HTTPS, the server forces the browser to communicate over secure HTTPS entirely eliminating the possibility of an HTTP connection.

X-Content-Type-Options header
The X-Content-Type header offers a countermeasure against MIME sniffing by instructing the browser to follow the MIME types indicated in the header.

X-Frame-Options header
The X-Frame-Options header protects against
Clickjacking which is an an attack that tricks a user into clicking an invisible webpage element or is disguised as another element. This can cause users unknowingly to download malware, visit malicious web pages, reveal credentials and sensitive information, transfer money, purchase products etc.

Typically an invisible page or HTML element is present inside an iframe, on top of the page the user is viewing. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional invisible page on top of it.

The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside an Iframe enabling you to prevent others from embedding your content.

Permissions Policy header
Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.

From the results below you will see that this site achieved an A+ rating. we achieve A+ ratings for many of our clients.

Visit the Security Headers Website and test your site for free.

You can also add your website to Chrome's HSTS preload list which is a list of sites that are hardcoded into Chrome as being HTTPS only. Most major browsers also have HSTS preload lists based on the Chrome list. Visit the HSTS preload submission site for details. 

Joomla 4 and 5 have security headers support but as we were implementing these previously we find it more efficient to add the code in .htaccess  

If you want us us to add HTTP Security Headers on your Joomla website this normally takes an hour unless you want a strict and complicated policy.

To add HTTP Security Headers order our Joomla Specialist Support and Maintenance service and submit a ticket on our helpdesk

 Once you become a customer you get access to a Highly Experienced Joomla Developer and;

• Access to our secure private support helpdesk site where access credentials are kept along with tasks and changes which are documented in detail.
• Use of our ticketing system where bugs can be reported, questions asked, and additional features can be requested.

Supporting, building, hosting, maintaining and optimising and all kinds of Joomla websites since 2005 we have gained vast experience. This combined with our Joomla Website Support System enables us to work very efficiently with any Joomla related project.

We have worked on several hundred Joomla websites ranging from sites with a few pages to sites with several hundred thousand pages including multi language sites. Taking on all kinds of Joomla related projects, including;

• Adding additional functionality.
• Adding content delivery networks.
• Adding E-Commerce along with shopping carts.
• Adding multiple anti-spam solutions.
• Adding payment gateways.
• Adding user management and subscription memberships.
• Building new Joomla websites.
• Customising Joomla extensions.
• Customising Joomla templates.
• Developing all kinds of forms including API integrations and auto field population using GeoIP services.
• Developing custom Joomla extensions.
• Developing custom Joomla templates.
• Implementing GDPR compliance.
• Implementing HTTP security headers.
• Joomla Extension Installation and configuration.
• Joomla Installation and configuration on your hosting.
• Joomla search engine marketing,
• Joomla search engine optimisation.
• Joomla site backup restoration on your hosting.
• Joomla website speed optimisation.
• Making Joomla websites responsive and mobile friendly.
• Malware removal including file and database cleanup.
• Migrating existing websites to Joomla including WordPress and none CMS websites.
• Producing AMP versions of Joomla websites.
• Resolving security-related issues.
• SSL certificate installation.

along with support and training, and anything required to keep Joomla Websites fast, functional, secure, and stable. 

Prior to making any changes to your Joomla website;

• We ensure you have an adequate backup system in place and take a backup of the site and database. Our preferred backup component is Akeeba Backup Professional for Joomla! (Commercial License $55), If your site doesn't already have it we will Install and configure it on your website.
• When a site has major issues or requires major extension upgrades, major Joomla version upgrades, template or template framework upgrades, major PHP version changes etc.. we clone the site and produce a test site to test changes prior to making changes to your live site. We are very experienced and understand which updates are safe and which updates cause problems. We prefer to put a test site on a sub domain to achieve some separation from a live site but this all depends on your hosting setup.

We have several VPS servers including a development Ubuntu/Plesk server with big storage attached where most Joomla sites we manage transfer an encrypted backup to each day. Apart from backup storage this is very useful to spin up a copy of a site for development, Joomla or PHP updates etc. This is useful if your host only allows one database for example and a test site is required for major updates, also on some occasions we have set up an older PHP version that most hosts don't allow so we can restore an old broken site for development.

Please note that even though we produce and maintain Joomla websites in multiple languages for multiple clients worldwide our native language is English.