{"id":162869,"date":"2022-09-24T01:34:25","date_gmt":"2022-09-24T01:34:25","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/fpd-custom-headers-security\/"},"modified":"2026-03-26T11:33:02","modified_gmt":"2026-03-26T11:33:02","slug":"firstpage-sg-security-headers","status":"publish","type":"plugin","link":"https:\/\/szl.wordpress.org\/plugins\/firstpage-sg-security-headers\/","author":7163397,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.4.0","stable_tag":"1.4.0","tested":"6.9.4","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"Security Headers","header_author":"Joseph Mendez","header_description":"Security headers are directives used by web applications to configure security defenses.","assets_banners_color":"e8f4ff","last_updated":"2026-03-26 11:33:02","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/paypal.me\/jose88882020","header_plugin_uri":"https:\/\/www.firstpagedigital.sg\/","header_author_uri":"https:\/\/www.linkedin.com\/in\/joseph-m-3a133a29\/","rating":3,"author_block_rating":0,"active_installs":700,"downloads":4756,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"joshme21","date":"2022-09-24 01:34:20"},"1.4.0":{"tag":"1.4.0","author":"joshme21","date":"2026-03-26 11:33:02"}},"upgrade_notice":[],"ratings":{"1":1,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":2789535,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":2789535,"resolution":"256x256","location":"assets","locale":""},"icon.svg":{"filename":"icon.svg","revision":2789535,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":2789535,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":2789535,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.4.0"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[153786,214096],"plugin_category":[],"plugin_contributors":[93489],"plugin_business_model":[],"class_list":["post-162869","plugin","type-plugin","status-publish","hentry","plugin_tags-security-headers","plugin_tags-seo-security-headers","plugin_contributors-joshme21","plugin_committers-joshme21"],"banners":{"banner":"https:\/\/ps.w.org\/firstpage-sg-security-headers\/assets\/banner-772x250.png?rev=2789535","banner_2x":"https:\/\/ps.w.org\/firstpage-sg-security-headers\/assets\/banner-1544x500.png?rev=2789535","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/firstpage-sg-security-headers\/assets\/icon.svg?rev=2789535","icon":"https:\/\/ps.w.org\/firstpage-sg-security-headers\/assets\/icon.svg?rev=2789535","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Security Headers helps site owners manage modern browser security headers from inside WordPress.<\/p>\n\n<p>Features include:<\/p>\n\n<ul>\n<li>Admin settings page under Settings &gt; Security Headers<\/li>\n<li>HSTS controls with preload warning<\/li>\n<li>Referrer-Policy and X-Frame-Options settings<\/li>\n<li>Permissions-Policy custom value field<\/li>\n<li>Content-Security-Policy builder with Report-Only mode<\/li>\n<li>Diagnostics screen showing configured headers<\/li>\n<li>Test tool to fetch and inspect your live response headers<\/li>\n<li>Import, export, and reset settings tools<\/li>\n<li>Cleanup on uninstall<\/li>\n<\/ul>\n\n<h3>Why security headers important?<\/h3>\n\n<p>When auditing websites, security headers are frequently forgotten.<\/p>\n\n<p>Although some may argue that website security is unrelated to SEO, it does become so when a site is compromised and search traffic completely disappears.<\/p>\n\n<p>Everyone who publishes content online should pay special attention to security headers.<\/p>\n\n<p>Getting hacked is not good. You lose traffic, customers and it\u2019s a pain to resolve all the issues.<\/p>\n\n<p>But good thing you\u2019re smart and have searched for this plugin :).<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin in WordPress<\/li>\n<li>Go to Settings &gt; Security Headers<\/li>\n<li>Save your preferred configuration<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20content-security-policy%20enabled%20by%20default%3F\"><h3>Is Content-Security-Policy enabled by default?<\/h3><\/dt>\n<dd><p>No. CSP is disabled by default because a strict policy can break scripts, styles, embeds, or third-party integrations if it is not configured carefully.<\/p><\/dd>\n<dt id=\"should%20i%20use%20report-only%20mode%20first%3F\"><h3>Should I use Report-Only mode first?<\/h3><\/dt>\n<dd><p>Yes. Report-Only mode is the safest way to start testing CSP because it reports problems without blocking resources.<\/p><\/dd>\n<dt id=\"does%20hsts%20work%20on%20http%20sites%3F\"><h3>Does HSTS work on HTTP sites?<\/h3><\/dt>\n<dd><p>No. HSTS should only be enabled when your site is fully available over HTTPS.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.3.0<\/h4>\n\n<ul>\n<li>Added diagnostics and live header testing tools in wp-admin.<\/li>\n<li>Added import, export, and reset tools for plugin settings.<\/li>\n<li>Added a configurable Content-Security-Policy builder with Report-Only support.<\/li>\n<li>Added uninstall cleanup for stored plugin options.<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Added a WordPress admin settings page under Settings &gt; Security Headers.<\/li>\n<li>Added saved plugin options with sanitization and safer defaults.<\/li>\n<li>Connected PHP and Apache header output to the saved admin settings.<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Updated plugin metadata for modern WordPress compatibility.<\/li>\n<li>Removed deprecated legacy headers.<\/li>\n<li>Limited default headers to a conservative modern set to reduce breakage.<\/li>\n<li>Only sends HSTS on HTTPS requests.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>First release<\/li>\n<\/ul>","raw_excerpt":"Security headers are directives used by web applications to configure browser-side security defenses.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/162869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=162869"}],"author":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/joshme21"}],"wp:attachment":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=162869"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=162869"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=162869"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=162869"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=162869"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=162869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}