Skip to main content
Blog

HTTP Security Headers in practice (at Joomla User Group Maastricht)

13 October 2025

On Saturday, October 11, 2025, Peter Martin was a guest at the Joomla User Group Maastricht. During this meeting, he demonstrated how to easily add extra protection to your Joomla website using HTTP Security Headers, a powerful yet often overlooked layer of website security.

What are HTTP Security Headers?

HTTP Security Headers are a set of instructions that the web server sends to the browser. They define:

  • what the browser is allowed to do (for example, which scripts or resources are safe), and
  • what the browser should block (such as suspicious scripts or unsafe content).

In short, HTTP Security Headers are the safety rules through which the server tells the browser how to behave in order to protect both the website and its visitors.

Peter began the presentation somewhat differently than usual to demonstrate that: by showing slides from another presentation (unexpected, as it had not been announced in advance) and by literally standing on the table (undesirable behaviour, as it had not been explicitly prohibited beforehand).

Why are they important?

In a presentation about HTTP Security Headers, Peter explained that many websites are vulnerable because of missing or incorrectly configured headers. Attackers can exploit JavaScript, iFrames, or cookies as a result. By adding a few well-chosen headers, you can drastically reduce these risks and increase your visitors’ trust.

During the session, he showed in a live demo how you can do this yourself, step by step, using Joomla’s built-in HTTP Headers plugin, no extra extensions or complex code needed.

The HTTP Headers Plugin in Joomla

Since Joomla 4.0 (released on August 17, 2021), Joomla has included the plugin “System - HTTP Headers” by default. With it, you can configure security headers such as Content-Security-Policy (CSP), X-Frame-Options, Referrer-Policy, and other essential headers. This plugin makes it easy to increase your website’s security level directly from the Joomla core.

Test first, then improve

Before configuring the headers, it’s smart to first measure your site’s current security status. You can do that using tools like SecurityHeaders.com and Internet.nl. Turn off all caching during testing, otherwise you won’t see the effect of your changes.

During the workshop, Peter helped participants achieve an A or A+ score on SecurityHeaders.com. Setting up the Content Security Policy (CSP) correctly proved to be the most challenging, but by analyzing error messages in the Chrome console, attendees were able to quickly improve their configurations.

Practical results

The session at the Joomla User Group Maastricht showed that Joomla comes with powerful security tools right out of the box. With a bit of knowledge and attention, you can quickly and effectively make your website more secure — without external extensions or extra costs. Read more in the event report of the Pizza JUG Fun Day, October 11, 2025 (in Dutch).

Want to learn how to better protect your Joomla website with HTTP Security Headers or other security measures?
Get in touch with db8

 

Other articles

Correspondence

db8 Website Support
Galiciestraat 35
6663 NR Lent
The Netherlands

+31 85 301 48 28
support at db8 dot nl
+31 6 44 214 500 (urgent)

Nijmegen Office

NYMA makersplaats, Unit 69
Winselingseweg 16
6541 AK Nijmegen
Netherlands

By appointment
Monday to Friday
09:00 - 17:00 (5pm)
(Time zone: Central European Time)

Acquisition is
not appreciated

© db8.nl. All rights reserved.