Flywheel customers often find value in manipulating their site’s HTTP headers. Configuring a combination of headers can aid in the security of your site as well as contribute to performance – and who doesn’t want a faster, more secure site?!
Thankfully, basic HTTP headers can be added to a WordPress® site without much technical skill by using a plugin.1 More complex headers, composed by your development team, can be implemented with the help of Flywheel support. In this article, we’ll talk about what HTTP headers are, provide some examples, and discuss methods to add them to your site.
HTTP headers are code that allow the server and the client browser to exchange information during a request or response. They can carry instructions or details regarding the browser, the requested page, the server capabilities, and more.
HTTP security headers are response headers designed to prevent web browsers from encountering security vulnerabilities. For example, enabling the HSTS (HTTP Strict Transport Security) header will direct web browsers to interact with a site via HTTPS only, and all HTTP requests will be ignored.
HTTP security headers can also help guard against attacks such as clickjacking, man-in-the-middle (MITM), and cross-site scripting (XSS).
Below are some examples of common HTTP headers and values. Click on the header type to learn more!
Strict-Transport-Security (HSTS)
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
Example:
Strict-Transport-Security: max-age=63072000; includeSubDomains;
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Example:
X-XSS-Protection: 1
The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.
Example:
Referrer-Policy: no-referrer-when-downgrade
The Cache-Control HTTP header holds directives (instructions) for caching in both requests and responses.
Example:
Cache-Control: max-age=<seconds>
We recommend working with your developer to implement HTTP headers within your custom Theme or Plugin. WordPress provides a send headers action hook to send additional HTTP Headers as needed.
Our support team is happy to help add HTTP Headers to your site – please prepare a list of specific HTTP Headers, methods, and values you would like added, and our support team will get them added to your site’s NGINX Web Server config. Just visit the help section of your Flywheel dashboard to start a chat!
The easiest way to enable HTTP security headers is via a plugin, we suggest either Redirection or HTTP Headers. These plugins allow for easy configuration of security headers with just a few clicks.
The main benefit of using a plugin is the fact that you can make changes at any time without having to alter code directly or reach out to Flywheel support. These plugins address 99% of issues flagged by reports from sites like securityheaders.com or Geekflare.
Redirection, on top of handling page redirects, can easily implement security headers. Since it’s a popular plugin, it may already be installed on your site.
The HTTP Headers plugin is another good option. Make sure you complete steps 4 & 5 to ensure compatibility with Flywheel. For more information about configuring the plugin, check out the developer’s page here.
/www/.user.ini
and save your changes.There are a handful of headers preset by Flywheel that our support team will have to change for you. If your desired HTTP header is in the list below please reach out to support!
X-XSS-Protection: 1 X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade X-FW Server X-Cache
If you have any questions our Happiness Engineers are here to help!
New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!
View allLearn all about managing your Flywheel user account, Teams and integrations.
View allFlywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!
View allAll the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!
View allTips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.
View allLearn more about Growth Suite, our all-in-one solution for freelancers and agencies to grow more quickly and predictably.
Getting started with Growth Suite
Growth Suite: What are invoice statuses?
Growth Suite: What do client emails look like?
Learn more about Managed Plugin Updates, and how you can keep your sites up to date, and extra safe.
Restoring Plugin and Theme Management on Flywheel
Managed Plugin Updates: Database upgrades
Managed Plugin Updates: Pause plugin updates
We can help! Check out our Brand Resources page for links to all of our brand assets.
Brand Resources