Add essential HTTP security headers to protect your WordPress site from attacks and improve security.
| Author: | MOHIT GOYAL (profile at wordpress.org) |
| WordPress version required: | 5.0 |
| WordPress version tested: | 6.9 |
| Plugin version: | 3.1 |
| Added to WordPress repository: | 01-11-2024 |
| Last updated: | 30-12-2025 |
| Rating, %: | 100 |
| Rated by: | 3 |
| Plugin URI: | |
| Total downloads: | 4 454 |
| Active installs: | 900+ |
 Click to start download |
|
HTTP Security Header helps protect your WordPress site by adding critical HTTP headers to each response — with no code required. These headers provide additional layers of protection against attacks such as cross-site scripting (XSS), clickjacking, content injection, and resource leaks.
This plugin offers a modern, responsive admin dashboard with validation, fallback safety, and full control over each header’s default or custom value.
???? Scan Your Website Security Headers
Before configuring headers, instantly check your website’s current security score using our online header scanner:
???? Scan Your Website Security Headers
✔ Enter your website URL
✔ Get instant Security Grade (A+ to F)
✔ See which headers are Present or Missing
✔ Get clear, actionable recommendations
✔ Easily fix them using this plugin
Used by thousands of websites to enhance security and protect user data.
Features Include:
– Visual toggles for enabling/disabling headers
– Option to use default or custom header values
– Secure fallback if a header is misconfigured
– Integrated header validation
– Support for all major browser-supported headers
– Nonce-based saving and admin notices
– WP Multisite compatible
– “Disable All” and “Reset to Important Headers” actions
– Per-header input validation with real-time error fallback
Supported Headers:
* Strict-Transport-Security (HSTS)
* X-Frame-Options
* X-Content-Type-Options
* Referrer-Policy
* Content-Security-Policy
* Permissions-Policy
* X-XSS-Protection
* X-Permitted-Cross-Domain-Policies
* Expect-CT
* Cross-Origin-Opener-Policy (COOP)
* Cross-Origin-Resource-Policy (CORP)
* Cross-Origin-Embedder-Policy (COEP)
Features
- Lightweight and performance-focused
- No front-end impact
- Choose default or custom header values
- Secure validation and auto-fallbacks
- Seamless plugin compatibility (including WP Rocket)
- Fully translation-ready and i18n-compliant
- Nonce-protected admin save actions
- Optional reset-to-default support
- Reset or disable all headers with one click
Screenshots
FAQ
ChangeLog