=== Fix It Easy Security Headers === Contributors: wpfixit Donate link: https://www.wpfixit.com Tags: security, headers, csp, hsts, referrer-policy Requires at least: 5.8 Tested up to: 6.8 Requires PHP: 7.4 Stable tag: 1.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Configure core HTTP security headers for your WordPress site in a few clicks. == Description == **WP Fix It Easy Security Headers** adds a simple page under **Tools → Security Headers** where you can toggle common HTTP security headers: - **Strict-Transport-Security (HSTS)** - **Content-Security-Policy (CSP)** - **X-Frame-Options** - **X-Content-Type-Options** - **Referrer-Policy** - **Permissions-Policy** On activation, all headers are **enabled by default** and you’re redirected to the settings screen. For convenience, the page and the Plugins screen include a **“Check Headers”** button that opens SecurityHeaders.com with your site’s URL prefilled (built dynamically from `home_url()`). ### Notes on CSP This plugin ships with a **permissive** default CSP intended to “work everywhere” out of the box (allows most external sources and inline code). For stronger protection, you should harden the directives for your specific site. ### Key Features - One-click toggles for popular headers - Dynamic “Check Headers” scan link - Uses the WordPress Settings API (nonce + capability checks) - Output escaping and sanitization following PHPCS == Installation == 1. Upload the plugin folder to `/wp-content/plugins/fix-it-easy-security-headers/` or install via Plugins → Add New. 2. Activate the plugin. 3. You’ll be redirected to **Tools → Security Headers**. Review and adjust toggles as needed. 4. (Optional) Click **Check Headers** to verify your headers on SecurityHeaders.com. == Frequently Asked Questions == = Where do I manage the settings? = Go to **Tools → Security Headers**. = What happens on activation? = All header options are enabled and you’re redirected once to the settings page. = Will this break my site? = Most headers are safe defaults. The provided CSP is intentionally permissive; it shouldn’t block assets. For strict CSPs, tailor directives to your stack and test. = Can I use this on multisite? = Yes. The “Check Headers” URL is derived from `home_url()`. Activation redirect is skipped for network/bulk activations. = Why don’t I see a “Settings saved” notice twice? = The page prints only this plugin’s scoped settings messages to avoid duplicate notices. = Can I customize the CSP? = Yes. You can modify the `$csp` string in `security_headers_add_headers()` to fit your site’s needs. == Screenshots == 1. Settings screen with header toggles and “Check Headers” button. == Changelog == = 1.1 = * Initial release. * Header toggles for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. * Activation enables all options and redirects to settings. * Dynamic SecurityHeaders.com scan link. == Upgrade Notice == = 1.0 = First release. After updating, review **Tools → Security Headers** to confirm your preferred settings.