HTTP Headers


HTTP Headers gives your control over the http headers returned by your blog or website.

Headers supported by HTTP Headers includes:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Age
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Cache-Control
  • Clear-Site-Data
  • Connection
  • Content-Encoding
  • Expect-CT
  • Expires
  • Feature-Policy
  • Pragma
  • Public-Key-Pins
  • Public-Key-Pins-Report-Only
  • P3P
  • Referrer-Policy
  • Report-To
  • Strict-Transport-Security
  • Timing-Allow-Origin
  • Vary
  • WWW-Authenticate
  • X-Content-Type-Options
  • X-DNS-Prefetch-Control
  • X-Download-Options
  • X-Frame-Options
  • X-Permitted-Cross-Domain-Policies
  • X-Powered-By
  • X-UA-Compatible
  • X-XSS-Protection

The getting started tutorial describes a typical configuration of this plugin.


  • This screenshot shows up the dashboard with categories of the supported headers.
  • This screenshot shows up the headers of a chosen category and their current values.
  • This screenshot shows up the settings page where you can adjust the security headers.
  • This screenshot shows up the response headers returned by the web server.


Upload the HTTP Headers plugin to your blog. Then activate it.

That’s all.


Why to use this plugin?

Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.

Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.


Excelent Security Feature

I am working with Akamai, but for a startup business using a wordpress platform this is the coolest security feature i've seen so far. Very good plugin. Thank you. I donate some money as well to keep going

Works well.

Only 1 minor issue, warns "Unnecessary HSTS header over HTTP" and recommends removing it.

Got me an A+ for my Content Security Policy

After spending over a week studying the requirements to have a good website online with a CSP I found this WP plugin which gave me on a scale of A-F, an E, a D and then finally an A+ for our website Content Security Policy. A very essential plugin!
Read all 18 reviews

Contributors & Developers

“HTTP Headers” is open source software. The following people have contributed to this plugin.


Translate “HTTP Headers” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



Release Date – 9th January, 2019

  • Remove direct calls to cURL


Release Date – 5th January, 2019

  • Better handling of activate/deactivate functions


Release Date – 9th December, 2018

  • Added support of “Clear-Site-Data” header


Release Date – 6th November, 2018

  • Hotfix: parallel work with third-party plugins


Release Date – 30th September, 2018

  • Support of following Server APIs: CGI, FastCGI, PHP-FPM
  • Error handling improvement


Release Date – 8th August, 2018

  • HSTS improvement
  • CORS improvement


Release Date – 31st July, 2018

  • Export feature bug-fixed


Release Date – 18th July, 2018

  • Feature-Policy header update: new features added


Release Date – 17th July, 2018

  • Added support of “Feature-Policy” header


Release Date – 12th July, 2018

  • CORS bugfix


Release Date – 13th January, 2018

  • In-plugin security improvement


Release Date – 10th January, 2018

  • Bug fix


Release Date – 4th January, 2018

  • Security improvements


Release Date – 27th December, 2017

  • Updated translations


Release Date – 23th December, 2017

  • Added support of “Report-To” header
  • Added support of translations
  • Added support of Import/Export
  • Updated “Content-Security-Policy” header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
  • Updated “WWW-Authenticate” header (support multiple users)
  • Updated “Access-Control” headers (added list of origins)


Release Date – 31st August, 2017

  • Added support of “Timing-Allow-Origin” header
  • Added support of “X-Download-Options” header
  • Added support of “X-DNS-Prefetch-Control” header
  • Added support of “X-Permitted-Cross-Domain-Policies” header
  • Added support of Custom headers


Release Date – 18th August, 2017

  • PHP notice bugfixed


Release Date – 15th August, 2017

  • Added support of “Content-Security-Policy-Report-Only” header
  • Added support of “Public-Key-Pins-Report-Only” header
  • Added “1; report=” directive to the “X-XSS-Protection” header
  • Added “Inspect headers” tool
  • UI bugfixes


Release Date – 5th August, 2017

  • Added support of “Expect-CT” header


Release Date – 30th July, 2017

  • Added support of “Age” header
  • Added support of “Cache-Control” header
  • Added support of “Connection” header
  • Added support of “Content-Encoding” header
  • Added support of “Expires” header
  • Added support of “Pragma” header
  • Added support of “Vary” header
  • Added support of “WWW-Authenticate” header
  • Added support of “X-Powered-By” header
  • Added support of “Secure” and “HttpOnly” cookies


Release Date – 5th July, 2017

  • Added support of Apache (via htaccess) inclusion method


Release Date – 3rd June, 2017

  • Added support of Content-Security-Policy header
  • Added dashboard


Release Date – 28th April, 2017

  • Added support of Referrer-Policy header


Release Date – 13th February, 2017

  • Added support of ‘preload’ directive to HSTS header


Release Date – 8th November, 2016

  • Fixed typo in the X-Frame-Options header


Release Date – 20th May, 2016

  • Added support of P3P header


Release Date – 10th May, 2016

  • Initial version