In this article:
What headers are unnecessary?
There are several headers commonly sent by web pages that have been replaced by newer headers or that reveal information about the web page that an attacker could use when probing the website for weaknesses.
Some common obsolete headers are the Pragma header, the P3P header, and the X-Frame-Options header. The Pragma header is commonly used to control caching settings, but the Cache-Control header should be used instead. The P3P header was intended to tell browsers what information a website collects about its visitors, but the header was never widely adopted or implemented in modern browsers. The X-Frame-Options header tells browsers if they should render <frame>, <iframe>, <embed>, or <object> tags on a page. The X-Frame-Options was supposed to provide security against attacks using those tags, but it has been replaced by the Content-Security-Policy header
The Server and X-Powered-By headers tell visitors the web server software, such as Apache or NGINX, used to serve the web page and the application, such as WordPress, that generated the web page. Although there are other ways to detect the web server or web application used to load a web page, removing these unnecessary headers helps make the website a little more secure.
200+ Design Templates + 1 Kick-ass SuperTheme
6 WordPress Plugins + 2 Essential Services
Everything you need to build and manage WordPress websites in one Central place.