Description
Security Headers Audit empowers WordPress site owners to fortify their browser-side security through modern HTTP security headers and robust, comprehensive auditing tools.
The plugin provides a professional, easy-to-use interface for configuring recommended security headers, seamlessly monitoring Content Security Policy (CSP) violations, recording browser console errors, and tracking security-related configuration changes within WordPress.
By proactively implementing industry-standard browser security protections, Security Headers Audit helps drastically reduce exposure to common web vulnerabilities such as Cross-Site Scripting (XSS), clickjacking, MIME-type sniffing attacks, and unsafe cross-origin interactions.
Key Features
- Centralized Dashboard: Configure HTTP Security Headers effortlessly.
- CSP Management: Complete Content Security Policy builder and manager.
- HSTS Support: Enforce Strict-Transport-Security (HSTS) for SSL protection.
- Clickjacking Protection: X-Frame-Options to prevent unauthorized iframe embedding.
- MIME Sniffing Prevention: X-Content-Type-Options support.
- Privacy Controls: Comprehensive Referrer-Policy management.
- Feature Policies: Permissions-Policy configuration for browser hardware and feature control.
- Cross-Origin Protections: Full support for COOP, COEP, and CORP policies.
- Violation Monitoring: Detailed CSP violation logging and reporting.
- Frontend Error Collection: Log JavaScript browser console errors experienced by real users.
- Audit Trail: Track all security configuration changes made by administrators.
- Portability: Import and export settings securely.
- Clean Uninstall: Complete database cleanup support upon uninstallation.
Supported Security Headers
- Content-Security-Policy (CSP)
- Strict-Transport-Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- Cross-Origin-Opener-Policy (COOP)
- Cross-Origin-Embedder-Policy (COEP)
- Cross-Origin-Resource-Policy (CORP)
Installation
- Upload the plugin folder to the
/wp-content/plugins/directory, or install the plugin directly through the WordPress Plugins screen. - Activate the plugin through the “Plugins” screen in WordPress.
- Locate the new “Security Headers Audit” menu within your WordPress admin dashboard.
- Navigate to the Settings tab to configure your preferred security headers and auditing options.
- Save your settings and run the built-in Header Checker to verify your new security grade!
FAQ
-
What is Content Security Policy (CSP)?
-
Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. This plugin allows you to seamlessly build your CSP rules to restrict which external resources (such as scripts, stylesheets, and images) can be loaded, actively preventing malicious scripts from executing on your site.
-
Can I safely use Security Headers Audit on existing live websites?
-
Yes. Security Headers Audit is designed to be installed safely on both new and existing WordPress websites. However, because strict security headers (like HSTS and rigid CSP rules) can inadvertently block legitimate resources or break site functionality if misconfigured, we strongly recommend testing all security header changes in a staging environment or utilizing report-only modes before enforcing them on a live production site.
-
Will this plugin slow down my website performance?
-
No. Security Headers Audit is incredibly lightweight and built with maximum performance in mind. The security headers are injected rapidly at the server response level, causing zero measurable impact on your frontend loading speeds. All audit logs are asynchronously collected and efficiently stored in optimized database tables within WordPress.
-
Does Security Headers Audit clean up its data upon uninstall?
-
Yes. The plugin respects your database hygiene. It includes a built-in uninstall routine that ensures all custom database tables, audit logs, and settings configurations are completely removed when you explicitly delete the plugin, leaving no orphaned data behind.
-
What happens if I lock myself out with HSTS or a strict CSP?
-
If you accidentally misconfigure Strict-Transport-Security (HSTS) or your Content Security Policy (CSP) causing your site to break, you can safely deactivate the plugin via FTP or a File Manager by renaming the
/wp-content/plugins/chetan-security-headers-audit/folder. This will instantly disable the headers and restore normal access so you can readjust your settings.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Security Headers Audit” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Security Headers Audit” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.1
- Major Refactor: Cleaned up plugin architecture and removed unused legacy code strings.
- Enhancement: Renamed dashboard menu slugs to conform to standard WordPress naming conventions (
security-headers-audit). - Enhancement: Improved general backend UI labels, descriptions, and dashboard messaging.
- Fix: Addressed character encoding issues preventing
strict_typesfrom executing correctly on specific Windows/PowerShell environments. - Update: Improved documentation, added precise FAQs, and updated the readme structure.
1.0.0
- Initial public release.
- Added HTTP Security Headers management.
- Added Content Security Policy (CSP) support.
- Added Strict-Transport-Security (HSTS) support.
- Added X-Frame-Options configuration.
- Added X-Content-Type-Options configuration.
- Added Referrer-Policy configuration.
- Added Permissions-Policy configuration.
- Added Cross-Origin policies (COOP, COEP, CORP).
- Added CSP violation logging.
- Added browser console error logging.
- Added security audit trail.
- Added settings management dashboard.
- Added import and export functionality.
- Added uninstall cleanup support.