Categories
HTTP Headers for Wordpress
Overview
HTTP Headers is a WordPress plugin who gives your control over the HTTP headers returned by your wordpress based blog or website. Helps to protect from XSS, MITM and Clickjacking attacks. Overcomes the limitations of the same-origin policy.
HTTP Headers
A list of headers supported by current version:
- X-Frame-Options
- Access-Control-Allow-Origin
- X-XSS-Protection
- Access-Control-Allow-Credentials
- X-Content-Type-Options
- Access-Control-Max-Age
- X-UA-Compatible
- Access-Control-Allow-Methods
- Strict-Transport-Security
- Access-Control-Allow-Headers
Public-Key-PinsPublic-Key-Pins-Report-Only- Access-Control-Expose-Headers
- P3P
- Referrer-Policy
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Age
- Cache-Control
- Expires
- Pragma
- Content-Encoding
- Content-Type
- Vary
- Connection
- X-Powered-By
- WWW-Authenticate
- Expect-CT
- Timing-Allow-Origin
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Permitted-Cross-Domain-Policies
- Report-To
- Feature-Policy
- Clear-Site-Data
- Cross-Origin-Resource-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- NEL
- Permissions-Policy
- X-Robots-Tag
These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Ebay, Paypal, Instagram, Pinterest, Dropbox, Reddit, Netflix, Tumblr, Blogger and many more.
Installation
To install HTTP Headers plugin on your WordPress blog, follow these steps:
- Download the source code of HTTP Headers for WordPress using your preferred method among:
- SVN Checkout - for those of you who are familiar with SVN and command line, use this command:
$ svn co https://plugins.svn.wordpress.org/http-headers/tags/1.18.3/
- File download - for those of you who likes an old-fashioned file download, click the button below: Download HTTP Headers v1.18.3
- SVN Checkout - for those of you who are familiar with SVN and command line, use this command:
- Copy the plugin's content into the
/wp-content/plugins/http-headers
folder. - Activate the plugin.
- That's all.
The image below shows up how the security headers are presented in the server response:

Sample configuration
A typical configuration for a website includes these security headers and their corresponding values:
- X-Frame-Options: deny
- X-XSS-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- X-UA-Compatible: IE=edge,chrome=1
- Strict-Transport-Security: max-age: 31536000; includeSubDomains (include only if your website supports SSL)
- Referrer-Policy: no-referrer-when-downgrade
If you intend to support cross-origin resource sharing, consider following:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Credentials: true (include if you will support HTTP Cookies, HTTP Authentication or SSL certificates)
- Access-Control-Allow-Methods: POST, GET, OPTIONS
- Access-Control-Allow-Headers: Origin
- P3P: CP="CAO PSA OUR"
If you want to include the Content Security Policy you can start with this:
- Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts
License
HTTP Headers for WordPress is licensed under the GPLv2 license or later.
Compatibility
HTTP Headers plugin requires WordPress 3.2 or higher and is compatible up to WordPress 5.7.1
Conclusion
Along with improving the security of your website, this plugin makes your blog a CORS-compliant. That make it a must-have addition to your WordPress site.
- Security HTTP Headers
- How to prevent SQL injections in PHP
- Download Large Files with PHP
- HeadCouch - the CouchDB PHP Client
If you have any question about the HTTP Headers for WordPress, leave a comment below. And do not be shy to share this article. Thanks so much for reading!
Subscribe to our newsletter
Join our mailing list and stay tuned! Never miss out news about Zino UI, new releases, or even blog post.
0 Comments
Comments are closed