{"id":210597,"date":"2024-11-01T07:09:27","date_gmt":"2024-11-01T07:09:27","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/security-header\/"},"modified":"2025-12-30T17:44:49","modified_gmt":"2025-12-30T17:44:49","slug":"security-header","status":"publish","type":"plugin","link":"https:\/\/szl.wordpress.org\/plugins\/security-header\/","author":23160277,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"3.1","stable_tag":"3.1","tested":"6.9.4","requires":"5.0","requires_php":"7.0","requires_plugins":null,"header_name":"HTTP Security Header","header_author":"Inspired Monks","header_description":"A simple plugin to add security headers to your WordPress site with dynamic control from the admin dashboard.","assets_banners_color":"252c41","last_updated":"2025-12-30 17:44:49","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/pages.razorpay.com\/inspiredmonks","header_plugin_uri":"","header_author_uri":"https:\/\/inspiredmonks.com","rating":5,"author_block_rating":0,"active_installs":900,"downloads":4503,"num_ratings":3,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.0":{"tag":"2.0","author":"mohitgoyal1108","date":"2024-11-01 10:15:46"},"2.0.1":{"tag":"2.0.1","author":"mohitgoyal1108","date":"2024-11-01 17:31:51"},"2.0.2":{"tag":"2.0.2","author":"mohitgoyal1108","date":"2024-11-19 09:02:59"},"2.0.3":{"tag":"2.0.3","author":"mohitgoyal1108","date":"2024-11-19 10:22:41"},"2.1":{"tag":"2.1","author":"mohitgoyal1108","date":"2024-11-26 21:25:11"},"2.2":{"tag":"2.2","author":"mohitgoyal1108","date":"2025-01-01 16:39:35"},"3.0":{"tag":"3.0","author":"mohitgoyal1108","date":"2025-04-29 07:23:44"},"3.1":{"tag":"3.1","author":"mohitgoyal1108","date":"2025-12-30 17:44:49"}},"upgrade_notice":{"3.1":"

Added Disable All, real-time custom header validation, and improved fallback logic. After updating, review any custom values and re-save to ensure compatibility.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":3},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3213458,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3213458,"resolution":"256x256","location":"assets","locale":""},"icon-512x512.png":{"filename":"icon-512x512.png","revision":3213458,"resolution":"512x512","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3395050,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3395050,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.0","2.0.1","2.0.2","2.0.3","2.1","2.2","3.0","3.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3180114,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3180114,"resolution":"2","location":"assets","locale":""}},"screenshots":{"1":"Example of site secured using HTTP Security Header plugin.","2":"Example of missing \/ weak headers before enabling plugin."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[7642,68184,253042,153786,1173],"plugin_category":[],"plugin_contributors":[233934],"plugin_business_model":[],"class_list":["post-210597","plugin","type-plugin","status-publish","hentry","plugin_tags-clickjacking","plugin_tags-content-security-policy","plugin_tags-http-security-header","plugin_tags-security-headers","plugin_tags-wordpress-security","plugin_contributors-mohitgoyal1108","plugin_committers-mohitgoyal1108"],"banners":{"banner":"https:\/\/ps.w.org\/security-header\/assets\/banner-772x250.png?rev=3395050","banner_2x":"https:\/\/ps.w.org\/security-header\/assets\/banner-1544x500.png?rev=3395050","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/security-header\/assets\/icon-128x128.png?rev=3213458","icon_2x":"https:\/\/ps.w.org\/security-header\/assets\/icon-256x256.png?rev=3213458","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/security-header\/assets\/screenshot-1.png?rev=3180114","caption":"Example of site secured using HTTP Security Header plugin."},{"src":"https:\/\/ps.w.org\/security-header\/assets\/screenshot-2.png?rev=3180114","caption":"Example of missing \/ weak headers before enabling plugin."}],"raw_content":"\n

HTTP Security Header<\/strong> helps protect your WordPress site by adding critical HTTP headers to each response \u2014 with no code required. These headers provide additional layers of protection against attacks such as cross-site scripting (XSS), clickjacking, content injection, and resource leaks.<\/p>\n\n

This plugin offers a modern, responsive admin dashboard with validation, fallback safety, and full control over each header\u2019s default or custom value.<\/p>\n\n

\ud83d\udd0e Scan Your Website Security Headers<\/h3>\n\n

Before configuring headers, instantly check your website\u2019s current security score using our online header scanner:<\/p>\n\n

\ud83d\udc49 Scan Your Website Security Headers<\/a><\/p>\n\n

\u2714 Enter your website URL
\n\u2714 Get instant Security Grade (A+ to F)
\n\u2714 See which headers are Present or Missing
\n\u2714 Get clear, actionable recommendations
\n\u2714 Easily fix them using this plugin<\/p>\n\n

Used by thousands of websites to enhance security and protect user data.<\/p>\n\n

Features Include:<\/strong>\n\u2013 Visual toggles for enabling\/disabling headers
\n\u2013 Option to use default or custom header values<\/strong>
\n\u2013 Secure fallback if a header is misconfigured
\n\u2013 Integrated header validation<\/strong>
\n\u2013 Support for all major browser-supported headers
\n\u2013 Nonce-based saving and admin notices
\n\u2013 WP Multisite compatible
\n\u2013 \"Disable All\" and \"Reset to Important Headers\" actions
\n\u2013 Per-header input validation with real-time error fallback<\/p>\n\n

Supported Headers:<\/strong>\n* Strict-Transport-Security (HSTS)\n* X-Frame-Options\n* X-Content-Type-Options\n* Referrer-Policy\n* Content-Security-Policy\n* Permissions-Policy\n* X-XSS-Protection\n* X-Permitted-Cross-Domain-Policies\n* Expect-CT\n* Cross-Origin-Opener-Policy (COOP)\n* Cross-Origin-Resource-Policy (CORP)\n* Cross-Origin-Embedder-Policy (COEP)<\/p>\n\n

Features<\/h3>\n\n
    \n
  • Lightweight and performance-focused <\/li>\n
  • No front-end impact <\/li>\n
  • Choose default or custom header values <\/li>\n
  • Secure validation and auto-fallbacks <\/li>\n
  • Seamless plugin compatibility (including WP Rocket) <\/li>\n
  • Fully translation-ready and i18n-compliant <\/li>\n
  • Nonce-protected admin save actions <\/li>\n
  • Optional reset-to-default support <\/li>\n
  • Reset or disable all headers with one click<\/li>\n<\/ul>\n\n\n
      \n
    1. Upload the plugin folder to \/wp-content\/plugins\/<\/code><\/li>\n
    2. Activate the plugin via WordPress admin<\/li>\n
    3. Navigate to Settings \u2192 Security Headers<\/strong> to configure<\/li>\n<\/ol>\n\n\n
      \n

      Does this modify the .htaccess file?<\/h3><\/dt>\n

      No, this plugin applies headers dynamically using send_headers<\/code> \u2014 making it cache-safe, portable, and compatible with all environments.<\/p><\/dd>\n

      Is this plugin multisite compatible?<\/h3><\/dt>\n

      Yes, you can configure headers per site on a WordPress Multisite network.<\/p><\/dd>\n

      What happens if a custom value is invalid?<\/h3><\/dt>\n

      The plugin uses fallback logic to prevent breaking the site by reverting to a known safe default. An admin notice will also appear.<\/p><\/dd>\n

      How do I reset the headers?<\/h3><\/dt>\n

      Click the \u201cReset to Defaults\u201d option in the admin panel to revert settings to secure recommended defaults.<\/p><\/dd>\n

      Can I disable all headers at once?<\/h3><\/dt>\n

      Yes. The \u201cDisable All\u201d button allows you to turn off all headers in a single action.<\/p><\/dd>\n

      Will this block any scripts or resources?<\/h3><\/dt>\n

      Some headers like Content-Security-Policy<\/code> or COEP<\/code> can affect script loading. Test after enabling them, especially with third-party scripts.<\/p><\/dd>\n

      Does this support headers like COOP, CORP, and COEP?<\/h3><\/dt>\n

      Yes, advanced cross-origin headers like COOP, CORP, and COEP are supported.<\/p><\/dd>\n\n<\/dl>\n\n\n

      3.1<\/h4>\n\n
        \n
      • NEW: Real-time validation for custom headers with fallback + admin warnings<\/li>\n
      • NEW: \"Disable All Headers\" button in settings UI<\/li>\n
      • NEW: Reset-to-default activates only important headers<\/strong><\/li>\n
      • Improved validation logic for Permissions-Policy<\/code>, CSP<\/code>, and Expect-CT<\/code><\/li>\n
      • Refined translations and I18N compliance<\/li>\n<\/ul>\n\n

        3.0<\/h4>\n\n
          \n
        • Added support for Cross-Origin-Embedder-Policy (COEP)<\/strong><\/li>\n
        • Refactored header application with auto-fallback and validation<\/strong><\/li>\n
        • Introduced full nonce protection<\/strong> and security hardening<\/li>\n
        • Enhanced admin UI with tooltips and mobile-first design<\/li>\n
        • Introduced reset-to-defaults architecture<\/li>\n
        • Removed .htaccess<\/code> dependency<\/li>\n<\/ul>\n\n

          2.2<\/h4>\n\n
            \n
          • Merged Feature-Policy with Permissions-Policy<\/li>\n
          • Improved .htaccess<\/code> logic<\/li>\n
          • Enhanced CSP formatting<\/li>\n<\/ul>\n\n

            2.1<\/h4>\n\n
              \n
            • Added COOP and CORP headers<\/li>\n
            • Improved UI layout and validation<\/li>\n<\/ul>\n\n

              2.0.3 \u2013 2.0.1<\/h4>\n\n
                \n
              • UI improvements and compatibility fixes<\/li>\n<\/ul>\n\n

                2.0<\/h4>\n\n
                  \n
                • Major refactor with modular header handling<\/li>\n<\/ul>\n\n

                  1.0<\/h4>\n\n
                    \n
                  • Initial release<\/li>\n<\/ul>","raw_excerpt":"Add and manage essential HTTP security headers with ease. Protect your WordPress site from XSS, clickjacking, and other common vulnerabilities.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/210597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=210597"}],"author":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/mohitgoyal1108"}],"wp:attachment":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=210597"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=210597"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=210597"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=210597"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=210597"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=210597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}