How to Add Referrer-Policy and X-Frame-Options in Zenphoto

After installing the Zenphoto image gallery content management system (CMS), available in Softaculous, there are multiple ways to easily improve website security:

But as stated in our Web Hosting New Year’s Resolutions for 2020 blog earlier this year, there are multiple ways to improve website security regardless of your type of website or server hosting plan. Users with access to raw server files via cPanel, Webmin, Secure Shell (SSH), or other server administration methods can directly edit the .htaccess file. This is the most common location for security HTTP headers including HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

Zenphoto users can easily add such HTTP headers with the http_security_headers plugin. Below we cover:

If you are interested in custom security options for Zenphoto (and other apps) you might also be interested to learn more about the fully managed VPS hosting accounts.

Add X-Frame-Options in Zenphoto

X-Frame-Options determines whether browsers will allow your website to display within other websites via HTML embedding tags to protect against clickjacking and related man-in-the-middle (MITM) attacks.

  1. Log into Zenphoto
  2. Install the http_security_headers plugin in the Security category
  3. Click the gear icon to change settings
  4. At the bottom, under Other headers, specify your X-Frame-Options:
    disabled – allow your webpages to be embedded within any website (default)
    deny – webpages cannot be displayed in a frame (recommended)
    sameorigin – webpages can be framed in the same webpage
    allow-from – webpages can be framed within the same URI (doesn’t work in newer browsers)
    Recommended X-Frame-Options in Zenphoto
  5. If you selected allow-from, add domains allowed to embed your webpages in X-Frame-Options – allow-from hosts
  6. At the bottom, select Apply

Add Referrer-Policy in Zenphoto

Referrer-policy determines how much information is sent through with referer header in URI requests. This prevents URLs with sensitive information (e.g. user credentials and private files) from showing up in web analytics software logs.

  1. If you have the http_security_headers plugin installed already, select Options, then Plugin from the top navigation menu
  2. Select http_security_headers
  3. At the bottom, under Other headers, specify Referrer-Policy from the drop-down menu:
    disabled – No preference
    no-referrer – No referrer info sent
    no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (default)
    origin – Only origin
    origin-when-cross-origin – Full URL for within the same site, but only origin for others
    same-origin – Only origin (root domain – e.g. example.com instead of example.com/page1) for within the same site
    strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
    strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
    unsafe-url – Full URL (not recommended)
    Recommended Referrer-Policy Setting in Zenphoto
  4. At the bottom, select Apply

You can view your website HTTP headers with the Zenphoto HTTP header inspector.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

Was this article helpful? Join the conversation!