HTTP Headers

Description

HTTP Headers gives your control over the http headers returned by your blog or website.

Headers supported by HTTP Headers includes:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Age
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Cache-Control
  • Clear-Site-Data
  • Connection
  • Content-Encoding
  • Content-Type
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Expect-CT
  • Expires
  • Feature-Policy
  • NEL
  • Permissions-Policy
  • Pragma
  • ~~Public-Key-Pins~~
  • ~~Public-Key-Pins-Report-Only~~
  • P3P
  • Referrer-Policy
  • Report-To
  • Strict-Transport-Security
  • Timing-Allow-Origin
  • Vary
  • WWW-Authenticate
  • X-Content-Type-Options
  • X-DNS-Prefetch-Control
  • X-Download-Options
  • X-Frame-Options
  • X-Permitted-Cross-Domain-Policies
  • X-Powered-By
  • X-UA-Compatible
  • X-XSS-Protection

The getting started tutorial describes a typical configuration of this plugin.

Screenshots

  • This screenshot shows up the dashboard with categories of the supported headers.
  • This screenshot shows up the headers of a chosen category and their current values.
  • This screenshot shows up the settings page where you can adjust the security headers.
  • This screenshot shows up the response headers returned by the web server.

Installation

Upload the HTTP Headers plugin to your blog. Then activate it.

That’s all.

FAQ

Why to use this plugin?

Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.

Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.

Reviews

November 18, 2020
Thanks you made easy all the http config in my sites. Thankssss !
November 2, 2020
With the help of this plugin you can manage security headers easily. Really well done. But you need to know what you are doing and you need to read a lot of documentation about http headers to understand the meaning of every option. With my little knowledge of http headers security i moved from grade F to D in less than 5 minutes. But i think i've done 10% of the work, maybe less. I wish there was a paid service to configure this plugin.
October 29, 2020
Every time you save the settings you get a critical error. Sometimes you have to try 2 or 3 times to get it to save. It's easier to collect the various bits of htaccess code you need from other sources and add them manually.
October 16, 2020
This plugin worked on one site just great, another it failed. On the failing site, I had https secure connection on the login page, yet when I typed to login, the result was a notice that the page was not secure. I'm giving a 2 although I think it is a plugin or NGINX conflict, perhaps the hide login plugin since the issue was on the login page. I don't know, so I will list 2. I will list the plugins below. I saw that on another comment you wrote this plugin doesn't work with NGINX. I have NGinx helper plugin, so I have NGinx, so maybe that is the issue. I guess then it will not work. If this is still true, then I suggest you put that in big letters on your WP page so people don't download. I don't think I have technical skills to know how to make it work! I followed most of the suggestions suggested for security, choosing nothing else, and only changed the following: ** "Same Origin"- X-Frame-Options **"strict-origin-when-cross-origin"- Referer Policy** ** "✔ Secure ✔ HttpOnly ✔ SameSite"- Cookie Policy** ** "ambient-light-sensor=(), autoplay=(), camera=(), geolocation=(), microphone=()" - Permissions Policy** These are the details on the FAILing site, theme 2017: Plugins 1. Disable Rest API 2. Easy Accordion 3. Easy Accordion Pro 4. Lightweight Grid Columns 5. Limit Login Attempts Reloaded 6. Nginx Helper 7. Optimize Database After Deleting Revisions 8. QSM Reporting and Analysis 9. Remove "Powered by WordPress" 10. Simple CSS 11. WP Offload Media Lite 12. WP Remove Query Strings From Static Resources 13. WPS Hide Login
July 18, 2020
Really Nice Job. Thank you very much. Now i´m A in the securityheaders.com Security Report Summary.
Read all 39 reviews

Contributors & Developers

“HTTP Headers” is open source software. The following people have contributed to this plugin.

Contributors

“HTTP Headers” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “HTTP Headers” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.18.1

Release Date – 29th October, 2020

  • Added “allow-downloads” and “allow-top-navigation-by-user-activation” to “sandbox” directive, part of CSP

1.18.0

Release Date – 20th September, 2020

  • Added “Permissions-Policy” header
  • Fixed “Cookie Security”

1.17.0

Release Date – 26th July, 2020

  • Added “Cross-Origin-Embedder-Policy” header
  • Added “Cross-Origin-Opener-Policy” header

1.16.1

Release Date – 23rd July, 2020

  • Fixed JS/CSS versioning

1.16.0

Release Date – 23rd July, 2020

  • Added the “NEL” header
  • Fixed the “Report-To” header

1.15.2

Release Date – 18th June, 2020

  • Fixed a PHP Notice at “Expires” page
  • Fixed comments in .user.ini file

1.15.1

Release Date – 9th May, 2020

  • Fixed the “Access-Control-Allow-Origin” header

1.15.0

Release Date – 26th January, 2020

  • Added the “Cross-Origin-Resource-Policy” header
  • Removed the “Public-Key-Pins” header

1.14.2

Release Date – 25th November, 2019

  • CORS headers updated (added “Vary: Origin”)

1.14.1

Release Date – 15th September, 2019

  • Simple filtering was replaced with Dynamic filtering

1.14.0

Release Date – 1st September, 2019

  • Added the “Content-Type” header
  • Fixed the “Access-Control-Allow-Credentials” header
  • Improvement to “Access-Control-Allow-Headers” header
  • Improvement to “Access-Control-Allow-Methods” header
  • Improvement to “Access-Control-Expose-Headers” header
  • Improvement to “Cache-Control” header
  • Improvement to “Vary” header

1.13.4

Release Date – 14th July, 2019

  • Added the “always” condition to Header (unset) directive
  • Fixed the “import” function
  • Fixed the “Access-Control-Allow-Origin” header

1.13.3

Release Date – 16th June, 2019

  • Bugfix in “WWW-Authenticate” header
  • Added support of Apache 2.4

1.13.2

Release Date – 13th June, 2019

  • Bugfix in “Content-Encoding” header
  • Bugfix in “Vary” header

1.13.1

Release Date – 8th June, 2019

  • Added Brotli compression

1.13.0

Release Date – 7th June, 2019

  • Added “SameSite” to Cookie Security
  • Fixed import/export function
  • Code refactoring

1.12.2

Release Date – 5th April, 2019

  • UI improvement for Content-Security-Policy
  • Fix for Access-Control-Allow-Headers
  • Fix for Access-Control-Allow-Origin
  • Fix for Feature-Policy

1.12.1

Release Date – 9th January, 2019

  • Remove direct calls to cURL

1.12.0

Release Date – 5th January, 2019

  • Better handling of activate/deactivate functions

1.11.0

Release Date – 9th December, 2018

  • Added support of “Clear-Site-Data” header

1.10.5

Release Date – 6th November, 2018

  • Hotfix: parallel work with third-party plugins

1.10.4

Release Date – 30th September, 2018

  • Support of following Server APIs: CGI, FastCGI, PHP-FPM
  • Error handling improvement

1.10.3

Release Date – 8th August, 2018

  • HSTS improvement
  • CORS improvement

1.10.2

Release Date – 31st July, 2018

  • Export feature bug-fixed

1.10.1

Release Date – 18th July, 2018

  • Feature-Policy header update: new features added

1.10.0

Release Date – 17th July, 2018

  • Added support of “Feature-Policy” header

1.9.5

Release Date – 12th July, 2018

  • CORS bugfix

1.9.4

Release Date – 13th January, 2018

  • In-plugin security improvement

1.9.3

Release Date – 10th January, 2018

  • Bug fix

1.9.2

Release Date – 4th January, 2018

  • Security improvements

1.9.1

Release Date – 27th December, 2017

  • Updated translations

1.9.0

Release Date – 23th December, 2017

  • Added support of “Report-To” header
  • Added support of translations
  • Added support of Import/Export
  • Updated “Content-Security-Policy” header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
  • Updated “WWW-Authenticate” header (support multiple users)
  • Updated “Access-Control” headers (added list of origins)

1.8.0

Release Date – 31st August, 2017

  • Added support of “Timing-Allow-Origin” header
  • Added support of “X-Download-Options” header
  • Added support of “X-DNS-Prefetch-Control” header
  • Added support of “X-Permitted-Cross-Domain-Policies” header
  • Added support of Custom headers

1.7.1

Release Date – 18th August, 2017

  • PHP notice bugfixed

1.7.0

Release Date – 15th August, 2017

  • Added support of “Content-Security-Policy-Report-Only” header
  • Added support of “Public-Key-Pins-Report-Only” header
  • Added “1; report=” directive to the “X-XSS-Protection” header
  • Added “Inspect headers” tool
  • UI bugfixes

1.6.0

Release Date – 5th August, 2017

  • Added support of “Expect-CT” header

1.5.0

Release Date – 30th July, 2017

  • Added support of “Age” header
  • Added support of “Cache-Control” header
  • Added support of “Connection” header
  • Added support of “Content-Encoding” header
  • Added support of “Expires” header
  • Added support of “Pragma” header
  • Added support of “Vary” header
  • Added support of “WWW-Authenticate” header
  • Added support of “X-Powered-By” header
  • Added support of “Secure” and “HttpOnly” cookies

1.4.0

Release Date – 5th July, 2017

  • Added support of Apache (via htaccess) inclusion method

1.3.0

Release Date – 3rd June, 2017

  • Added support of Content-Security-Policy header
  • Added dashboard

1.2.0

Release Date – 28th April, 2017

  • Added support of Referrer-Policy header

1.1.2

Release Date – 13th February, 2017

  • Added support of ‘preload’ directive to HSTS header

1.1.1

Release Date – 8th November, 2016

  • Fixed typo in the X-Frame-Options header

1.1.0

Release Date – 20th May, 2016

  • Added support of P3P header

1.0.0

Release Date – 10th May, 2016

  • Initial version