Joomla HttpHeader Extension

HttpHeader Plugin

# HttpHeader Plugin

This Joomla Plugin implements an UI Layer for the HTTP Security headers so everyone can set and configure them from the backend.

Features

This Joomla Plugin helps you to set the following HTTP Security Headers.
- [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
- [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
- [Content-Security-Policy-Report-Only](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Testing_your_policy)
- [X-Frame-Options](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options)
- [X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
- [X-Content-Type-Options](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Content-Type-Options)
- [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
- [Expect-CT](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Expect-CT)
- [Feature-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
- [Permissions-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)

This plugin also comes with some easy defaults for:
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy

Note: If you have configured some HTTP Security Headers directly on the server, then this Plugin might create double entries.

Check the output of your HTTP headers after configuring this HTTP Security Headers Plugin. In Google Chrome: Inspect > Network > the output under Headers).
In this Plugin you can disable the settings that cause double entries. Also check the Console of your browser for possible errors.

Configuration

Initial setup the plugin

- [Download the latest version of the plugin](https://github.com/zero-24/plg_system_httpheader/releases/latest)
- Install the plugin using `Upload & Install`
- Enable the plugin `System - HttpHeader` form the plugin manager

Now the inital setup is completed and you can start configure the headers.

Default Headers

Please note that by default the following headers und values are set:
```
X-Frame-Options: SAMEORIGIN
```
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
```
X-XSS-Protection: 1; mode=block
```
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
```
X-Content-Type-Options: nosniff
```
More Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
```
Referrer-Policy: no-referrer-when-downgrade
```
More Infos: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

You can allways choose to disable or change the value for one of those by changing the plugin configuration.

Option descriptions

# Force HTTP Header

Using this you can set different values from the default ones and also force headers. The supported headers are:
- Strict-Transport-Security
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy
- Expect-CT
- Feature-Policy
- Cross-Origin-Opener-Policy
- Permissions-Policy

Here you can also decide whether the header is applyed only to the frontend and or only the backed or both sites.

# HTTP Strict Transport Security (HSTS)

This option activates 'Strict Transport Security' and allows the configuration of the value of that header including `Include subdomains`, `Maximum registration time (max-age)` and `Preload`.

HSTS means that your domain can no longer be called without HTTPS. Once added to the preload list, this is not easy to undo. Domains can be removed, but it takes months for users to make a change with a browser update. This option is very important to prevent ['man-in-the-middle attacks'](https://en.wikipedia.org/wiki/Man-in-the-middle_attack), so it should be activated in any case, but only if you are sure that HTTPS is fully supported for the domain and all subdomains in the long run! The value for 'maximum registration time' must be set to 63072000 (2 years) for recording.

# Content Security Policy (CSP)

With this option the `Content-Security-Policy` rule can be set individually including an dedicated subform for the the different directives as well as setting the rules in `Report-Only` mode.

Update Server

Please note that my update server only supports the latest version running the latest version of Joomla and atleast PHP 7.0.
Any other plugin version I may have added to the download section don't get updates using the update server.

Issues / Pull Requests

You have found an Issue, have a question or you would like to suggest changes regarding this extension?
[Open an issue in this repo](https://github.com/zero-24/plg_system_httpheader/issues/new) or submit a pull request with the proposed changes.

Translations

You want to translate this extension to your own language? Check out my [Crowdin Page for my Extensions](https://joomla.crowdin.com/zero-24) for more details. Feel free to [open an issue here](https://github.com/zero-24/plg_system_httpheader/issues/new) on any question that comes up.

This plugin is translated into the following languages:
- de-DE by @zero-24
- en-GB by @zero-24 & @brianteeman
- fr-FR by @Sandra97 & @YGomiero
- it-IT by @jeckodevelopment
- nl-NL by @pe7er

Beyond this repo

This plugin has been included in the Joomla Core ([joomla/joomla-cms#18301](https://github.com/joomla/joomla-cms/pull/18301)) and will be part of the upcomming 4.0 Release. Please note that the core the plugin has been renamed to plg_system_httpheaders (extra `s`) and extended by the new com_csp component for to core distribution.

Special Thanks

David Jardin - @snipersister - https://www.djumla.de/ & Yves Hoppe - @yvesh - https://compojoom.com/

For giving me the inspiration for the plugin and their feedback on the actual implementation. Thanks :+1:

How to install Joomla HttpHeader Extension

You can install Joomla HttpHeader Extension via Joomla Installer.

Follow the steps below:

Download the Joomla HttpHeader Extension package from the official website.
Login to your Joomla website's administrator dashboard.
Go to the "Extensions" tab and select "Manage" from the drop-down menu.
Click on the "Upload Package File" tab and select the Joomla HttpHeader Extension package that you downloaded.
Click the "Upload & Install" button to install the extension.
You will see a confirmation message when the installation is complete.

That's it! You can now use Joomla HttpHeader Extension on your Joomla website.

Joomla HttpHeader Language Files

Is Joomla HttpHeader not available in your language?

We understand that not all extensions come equipped with language files, which can make it difficult for non-English speakers to fully utilize them. That's where our Language File Creation service comes in.

Great news!

ExtensionPlazza has now introduced a new feature to help Joomla users worldwide:

Joomla Extension Translation Tool.

With our Joomla Extension Translation Tool, you no longer have to worry about language barriers preventing you from using the Joomla extensions you need. Our tool allows you to easily translate Joomla HttpHeader Language Files to any language you require, making it easier than ever before to use Joomla extensions in your preferred language.

Joomla HttpHeader Extension Customization

Do you need Joomla HttpHeader to do more than what it currently offers? Our expert team can help you extend or customize Joomla HttpHeader to meet your specific needs and requirements.

At ExtensionPlazza, we specialize in Joomla extension development and customization, and we are committed to providing exceptional services to our clients. We have extensive experience working with Joomla and related technologies, and we can help you create a solution that is tailored to your unique business requirements.

Whether you need a

custom integration,
additional features,
or a complete overhaul of the extension

we are here to help. We will work closely with you to understand your needs and requirements and develop a solution that exceeds your expectations.

Contact us today to learn more about our extension customization and extension development services, and how we can help you take your project to the next level.

You can reach us through the following channels:

Contact Form

Free Extension of September 2024

Each month, ExtensionPlazza brings you a Premium Joomla Extension developed by ExtensionPlazza exclusively for our valued visitors
Get the download link to your email inbox right now!

Extension Specifications

Current Version
1.0.17
Created on
23 March 2020
Last updated on
18 March 2024
Compatibility
Joomla 3,Joomla 4,50
Extension Type
Plugin
Free or Premium
Free Joomla Extension
Listed in
Joomla Security Tools Extensions
Developed by
Tobias Zulauf

Score

Functionality

97%

Ease of Use

87%

Support

97%

Documentation

82%

Joomla HttpHeader,
Joomla 3,Joomla 4,50 Compatible Joomla HttpHeader is reviewed
4.5375 out of 5 by 3 Joomla user(s)

Spread the Word

Share on Twitter