Joomla 4 Security HTTP Headers

Learning how to secure Joomla 4 is easier than ever before. With the pre-installed HTTP Headers Joomla plugin, you can add up to ten security HTTP headers to protect your data against next-generation cyber attacks.

How to Secure Joomla 4 with HTTP Headers

1. Log into your Joomla 4 administrator dashboard (e.g. https://example.com/administrator).
2. Select System from the sidebar.
3. Under Manage, select Plugins.
4. Search for “System – HTTP Headers” and select it.

X-Frame-Options specifies whether or how your website can be embedded in another web app or site using iframes. This will harden Joomla against clickjacking. The options for this header are “DENY” and “SAMEORIGIN” (meaning you can embed your website within itself). This is enabled and set to “SAMEORIGIN” by default.

Referrer-Policy can remove sensitive content from the refererr header within URI requests (e.g. password reset URLs). There are nine options in the drop-down menu:

• empty string – no preference
• no-referrer – no referrer info sent
• no-referrer-when-downgrade – full URL unless visiting HTTP page from HTTPS page (default behavior when no policy specified)
• same-origin – only origin (root domain – e.g. example.com instead of example.com/blog) for within the same site
• origin – only origin
• strict-origin – origin only when security level is the same (e.g. HTTPS to HTTPS)
• origin-when-cross-origin – full URL for within the same site, but only origin externally
• strict-origin-when-cross-origin – full URL within site, only origin when protocol security level is the same (e.g. HTTPS to HTTPS), and no info from HTTPS to HTTP
• unsafe-url – full URL (not recommended)

This is set to “strict-origin-when-cross-origin” by default.

Cross-Origin-Opener-Policy (COOP) opens external documents in a separate browsing context group to prevent cross-scripting (XS) attacks.

• unsafe-none – no protection unless opener has stronger COOP policy
• same-origin-allow-popups – page keeps references to same-origin popups
• same-origin – cross-origin documents are opened in a separate browsing context

This is set to “same-origin” by default.

The Force HTTP Headers section allows you to add custom HTTP headers. Most notable among the group is Feature-Policy which blocks unnecessary browser features for user privacy (e.g. camera and WebUSB API). This is now superseded by Permissions-Policy. For example, this disables the user’s mic and webcam while allowing full screen for within the site and a Jitsi Meet video conference:

microphone=(),camera=(),fullscreen=(self “https://meet/jit/si”)

This is set to “interest-cohort=()” by default.

Configure HTTP Strict Transport Security (HSTS) from a tab at the top. HSTS forces web browsers to only load your website using secure (HTTPS) connection. Enabling Joomla HSTS works with SSL 301 redirects to protect against HTTP downgrade attacks.

You must have a valid SSL certificate on your website while HSTS is enabled. Otherwise, your website will become inaccessible.

Configure Content Security Policy (CSP) from the third tab at the top. CSP prevents web browsers from loading anything in the site that’s not specified in the header (e.g. external sources such as BootstrapCDN and YouTube videos). Configure Joomla CSP in more detail under the Force HTTP Headers section.

Once done with deciding how to secure Joomla, select Save at the top. You can test your security HTTP headers with online tools such as https://securityheaders.com.