How to Add Referrer-Policy and X-Frame-Options in Zenphoto

After installing the Zenphoto image gallery content management system (CMS), available in Softaculous, there are multiple ways to easily improve website security:

• Force HTTPS (SSL certificate)
• Enforce minimum password strength
• Data privacy settings for GDPR and CCPA compliance

But as stated in our Web Hosting New Year’s Resolutions for 2020 blog earlier this year, there are multiple ways to improve website security regardless of your type of website or server hosting plan. Users with access to raw server files via cPanel, Webmin, Secure Shell (SSH), or other server administration methods can directly edit the .htaccess file. This is the most common location for security HTTP headers including HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

Zenphoto users can easily add such HTTP headers with the http_security_headers plugin. Below we cover:

• X-Frame-Options
• Referrer-Policy

If you are interested in custom security options for Zenphoto (and other apps) you might also be interested to learn more about the fully managed VPS hosting accounts.

Add X-Frame-Options in Zenphoto

X-Frame-Options determines whether browsers will allow your website to display within other websites via HTML embedding tags to protect against clickjacking and related man-in-the-middle (MITM) attacks.

1. Log into Zenphoto
2. Install the http_security_headers plugin in the Security category
3. Click the gear icon to change settings
4. At the bottom, under Other headers, specify your X-Frame-Options:
   disabled – allow your webpages to be embedded within any website (default)
   deny – webpages cannot be displayed in a frame (recommended)
   sameorigin – webpages can be framed in the same webpage
   allow-from – webpages can be framed within the same URI (doesn’t work in newer browsers)

   

5. If you selected allow-from, add domains allowed to embed your webpages in X-Frame-Options – allow-from hosts
6. At the bottom, select Apply

Add Referrer-Policy in Zenphoto

Referrer-policy determines how much information is sent through with referer header in URI requests. This prevents URLs with sensitive information (e.g. user credentials and private files) from showing up in web analytics software logs.

1. If you have the http_security_headers plugin installed already, select Options, then Plugin from the top navigation menu
2. Select http_security_headers
3. At the bottom, under Other headers, specify Referrer-Policy from the drop-down menu:
   disabled – No preference
   no-referrer – No referrer info sent
   no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (default)
   origin – Only origin
   origin-when-cross-origin – Full URL for within the same site, but only origin for others
   same-origin – Only origin (root domain – e.g. example.com instead of example.com/page1) for within the same site
   strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
   strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
   unsafe-url – Full URL (not recommended)

   

4. At the bottom, select Apply

You can view your website HTTP headers with the Zenphoto HTTP header inspector.