Hello,
does it make sens to had the plugin HttpHeader https://extensions.joomla.org/extension/httpheader/
or Admin Tools protect already that too?
Thank you!
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by on Wednesday, 09 December 2020 20:17 CST
Hello,
does it make sens to had the plugin HttpHeader https://extensions.joomla.org/extension/httpheader/
or Admin Tools protect already that too?
Thank you!
The four headers that the plugin says it provides default for, Admin Tools' .htaccess / NginX Configuration / web.config Maker is better at managing them. It's the same headers, it's just that using a server configuration file applies them on all requests, not just those going through Joomla. This is especially important for HSTS and CORS headers.
Regarding the other headers, I maintain that it's best that you set them up manually, in your server configuration file (.htaccess, web.config or NginX's configuration) than using a plugin for two reasons:
For Content Security Policy (CSP) my recommendation is to not mess with it on Joomla 3, it will break stuff. Joomla 4 includes the plugin you mentioned in the core (in fact, the plugin is an adaptation of the same author's work in the Joomla 4 core) with a critical difference. Joomla 4 provides the necessary methods to sign inline JavaScript and CSS either with a per-page token or a cryptographic signature (the latter is still broken as of Joomla 4 beta 4), allowing you to set a very restrictive CSP. Without this Joomla 4 feature any CSP you choose that lets your site work won't make much of a difference with regards to security and any CSP which would increase security would break your site. So it's best to not touch it with Joomla 3.
So, based on all of the above it's best to use Admin Tools because the headers that make sense are best handled at the .htaccess level and they are either already handled by Admin Tools or there is no practical benefit to using a plugin to manage them as opposed to managing them manually.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!