=== BoundaryGuard Headers ===
Contributors: jsjack74
Tags: security, http-headers, csp, hsts, xss
Requires at least: 6.0
Tested up to: 6.9
Stable tag: 1.0.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Automatically enforces essential HTTP security headers to protect your site from XSS, clickjacking, and protocol downgrade attacks.

== Description ==
BoundaryGuard Headers enforces modern HTTP security headers to harden your WordPress site against XSS, clickjacking, mixed content, and cross-origin attacks.

**Key Features:**

* **Essential Protection:** Adds X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to reduce attack surface and prevent clickjacking.
* **HSTS (Strict Transport Security):** Forces HTTPS connections to help prevent protocol downgrade and man-in-the-middle attacks.
* **Advanced Isolation (COOP/COEP):** Enables Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy to improve cross-origin isolation and mitigate certain side-channel attacks.
* **Content Security Policy (CSP):** One of the strongest defenses against XSS. Includes a dashboard-based CSP builder with preset options to whitelist trusted sources for scripts, styles, images, and more.
* **CSP Report-Only Mode:** Test your policy safely without blocking content.
* **Server Header Hardening:** Removes or limits exposure of headers such as `X-Powered-By` and `Server`.
* **Lightweight and Fast:** Uses PHP headers for broad server compatibility and minimal performance impact.
* **No `.htaccess` Editing Required:** Works without modifying server configuration files.

Designed for developers and site owners who want stronger security without unnecessary complexity.


== External Services ==

This plugin provides a Content Security Policy (CSP) builder. To assist users, it includes "Preset Buttons" that allow users to quickly add domain names to their own CSP whitelist. 

**This plugin DOES NOT connect to, load data from, or send data to these services automatically.** The following third-party domains are referenced as presets within the admin dashboard for whitelisting purposes:
* Google Analytics (www.google-analytics.com) - Used for tracking whitelisting. [Privacy: https://policies.google.com/privacy]
* Google Tag Manager (www.googletagmanager.com) - Used for tag management. [Privacy: https://policies.google.com/privacy]
* Stripe (js.stripe.com, api.stripe.com) - Used for payment processing. [Privacy: https://stripe.com/privacy]
* Facebook (www.facebook.com, connect.facebook.net) - Used for social embeds. [Privacy: https://www.facebook.com/policy.php]
* YouTube (www.youtube.com, i.ytimg.com) - Used for video embeds. [Privacy: https://policies.google.com/privacy]
* Vimeo (player.vimeo.com) - Used for video embeds. [Privacy: https://vimeo.com/privacy]
* Gravatar (secure.gravatar.com) - Used for user avatars. [Privacy: https://automattic.com/privacy/]


== Installation ==
1. Upload the `boundaryguard-headers` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Configure the settings from **Settings → BoundaryGuard Headers**.

== Frequently Asked Questions ==

= Does this plugin edit .htaccess? =
No. BoundaryGuard Headers uses PHP headers, which improves compatibility across different hosting environments.

= Can I test Content Security Policy without breaking my site? =
Yes. The plugin includes a **CSP Report-Only Mode** that allows you to monitor policy violations without blocking any resources.

= Will this affect site performance? =
No. The plugin is lightweight and adds negligible overhead, as headers are sent as part of the normal HTTP response.



== Changelog ==

= 1.0.0 =
* Initial release
* Added essential HTTP security headers
* Implemented HSTS support
* Added CSP builder with report-only mode