Plugins DatabasePlugins Database logo
Back to plugins
WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 3,373
Active installs: 600
Total reviews: 3
Average rating: 5
Support threads opened: 0
Support threads resolved: 0 (0%)
Available in: 1 language(s)
Contributors: 1
Last updated: 4/29/2025 (246 days ago)
Added to WordPress: 11/1/2024 (1 years old)
Minimum WordPress version: 5.0
Tested up to WordPress version: 6.8.3
Minimum PHP version: 7.0

Maintenance & Compatibility

Maintenance score

Stale • Last updated 246 days ago • 3 reviews

40/100

Is HTTP Security Header abandoned?

Likely maintained (last update 246 days ago).

Compatibility

Requires WordPress: 5.0
Tested up to: 6.8.3
Requires PHP: 7.0

Ratings

3
0
0
0
0See all reviews

Developers

MOHIT GOYAL (Owner)2

Languages

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

No similar plugins found yet.
See more alternatives to HTTP Security Header

Description

HTTP Security Header helps protect your WordPress site by adding critical HTTP headers to each response — with no code required. These headers provide additional layers of protection against attacks such as cross-site scripting (XSS), clickjacking, content injection, and resource leaks.

This plugin offers a modern, responsive admin dashboard with validation, fallback safety, and full control over each header’s default or custom value.

Features Include:
– Visual toggles for enabling/disabling headers
– Option to use default or custom header values
– Secure fallback if a header is misconfigured
– Integrated header validation
– Support for all major browser-supported headers
– Nonce-based saving and admin notices
– WP Multisite compatible
– “Disable All” and “Reset to Important Headers” actions
– Per-header input validation with real-time error fallback

Supported Headers:
* Strict-Transport-Security (HSTS)
* X-Frame-Options
* X-Content-Type-Options
* Referrer-Policy
* Content-Security-Policy
* Permissions-Policy
* X-XSS-Protection
* X-Permitted-Cross-Domain-Policies
* Expect-CT
* Cross-Origin-Opener-Policy (COOP)
* Cross-Origin-Resource-Policy (CORP)
* Cross-Origin-Embedder-Policy (COEP)

Features

  • Lightweight and performance-focused
  • No front-end impact
  • Choose default or custom header values
  • Secure validation and auto-fallbacks
  • Seamless plugin compatibility (e.g. WP Rocket)
  • Fully translation-ready and i18n-compliant
  • Nonce-protected admin save actions
  • Optional reset-to-defaults support
  • Reset or disable all headers with one click

Installation

  1. Upload the plugin folder to /wp-content/plugins/.
  2. Activate the plugin via WordPress admin.
  3. Navigate to Settings Security Headers to configure.

Frequently Asked Questions

Does this modify the .htaccess file?

No, this plugin applies headers dynamically using send_headers — making it cache-safe, portable, and compatible with all environments.

Is this plugin multisite compatible?

Yes, you can configure headers per site on a WordPress Multisite network.

What happens if a custom value is invalid?

The plugin uses fallback logic to prevent breaking the site by reverting to a known safe default. An admin notice will also show up when this happens.

How do I reset the headers?

Click the “Reset to Defaults” option in the admin panel to revert all settings to secure recommended defaults.

Can I disable all headers at once?

Yes. The “Disable All” button in the admin interface allows you to turn off all headers in a single action.

Will this block any scripts or resources?

Some headers like Content-Security-Policy or COEP can affect script loading. You should test after enabling them, especially with third-party scripts or iframe embeds.

Does this support headers like `COOP`, `CORP`, or `COEP`?

Yes, the plugin supports advanced cross-origin headers like COOP, CORP, and COEP.

Review feed

MOHIT GOYAL
11/1/2024

Essential for Enhancing Website Security

I recently integrated the Security Header plugin into my WordPress site, and it has significantly improved my website's security posture. The user-friendly interface made it easy to enable essential HTTP security headers with just a few clicks.

Screenshots

  1. <p><strong>With Plugin</strong>: Your website is secured with essential security headers. </p>

    With Plugin: Your website is secured with essential security headers.

  2. <p><strong>Without Plugin</strong>: Your website is vulnerable to various security threats. </p>

    Without Plugin: Your website is vulnerable to various security threats.

Changelog

3.1

  • NEW: Real-time validation for custom headers with fallback + admin warnings
  • NEW: “Disable All Headers” button in settings UI
  • NEW: Reset-to-default activates only important headers
  • Improved validation logic for Permissions-Policy, CSP, and Expect-CT
  • Refined translations and I18N compliance

3.0

  • Added support for Cross-Origin-Embedder-Policy (COEP)
  • Refactored header application with auto-fallback and validation
  • Introduced full nonce protection and security hardening
  • Enhanced admin UI, with tooltips and mobile-first design
  • Introduced reset-to-defaults architecture (optional)
  • Removed .htaccess dependency for full dynamic application

2.2

  • Merged Feature-Policy with Permissions-Policy
  • Improved .htaccess header injection logic
  • Enhanced Content-Security-Policy formatting

2.1

  • Added Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy
  • Improved UI layout and validation

2.0.3 – 2.0.1

  • Minor UI improvements and compatibility fixes

2.0

  • Major refactor with modular header handling

1.0

  • Initial release with core security headers
Back to plugins