=== Security Header === Contributors: mohitgoyal1108 Tags: website header,web headers, security headers, http response headers, add headers Requires at least: 5.0 Tested up to: 6.6 Requires PHP: 7.0 Stable tag: 2.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Website: https://inspiredmonks.com Add essential HTTP security headers to protect your WordPress site from attacks and improve security. == Description == Security headers are essential for protecting your WordPress website against common attacks, including cross-site scripting (XSS), clickjacking, content sniffing, and certificate transparency issues. The Security Header plugin provides an easy interface to enable or disable essential security headers with just a few clicks. **Key Features:** * HTTP Strict Transport Security (HSTS) * X-Frame-Options (Prevents clickjacking) * X-Content-Type-Options (Prevents MIME-type sniffing) * Referrer-Policy (Controls the referrer header information) * Content-Security-Policy (Mitigates various attacks like XSS) * X-XSS-Protection (Prevents Cross-Site Scripting attacks) * Permissions-Policy (Controls browser features such as microphone, camera, etc.) * X-Permitted-Cross-Domain-Policies (Restricts cross-domain resource sharing) * Expect-CT (Enforces certificate transparency) * Feature-Policy (Controls resource loading for various browser features) Easily toggle each security header from the WordPress admin panel to improve the security of your website without requiring manual code changes. == Screenshots == 1. Screenshot of a website with security headers enabled. ![Security Header Example](assets/screenshot-1.png) 2. Screenshot of a website without security headers. ![No Security Header Example](assets/screenshot-2.png) == Features == * Easy-to-use settings page * Add or remove essential HTTP security headers with just a click * Supports all major security headers to secure your website * Helps mitigate a wide range of security vulnerabilities * Compatible with all WordPress themes and plugins == Installation == 1. Download the plugin and unzip the folder. 2. Upload the `security-header` folder to the `/wp-content/plugins/` directory. 3. Activate the plugin through the 'Plugins' menu in WordPress. 4. Go to **Settings > Security Headers** to configure the plugin options. == Frequently Asked Questions == **Q. What are security headers, and why are they important?** A. Security headers are part of HTTP headers that provide instructions to the client’s browser about handling the content of a website. They help enhance security by mitigating various web vulnerabilities, such as cross-site scripting (XSS), clickjacking, and other injection attacks. Using security headers is essential for reducing the risk of attacks and enhancing user trust by enforcing secure connections and limiting the exposure of sensitive information. **Q. How do I know if my website has security headers enabled?** A. You can check if your website has security headers by using tools like [SecurityHeaders.com](https://securityheaders.com) or by inspecting your HTTP response headers in browser developer tools. These tools will show you which security headers are present and provide a security rating based on the configuration. **Q. What security headers can I enable with this plugin?** A. This plugin allows you to enable several key security headers: * **HTTP Strict Transport Security (HSTS):** Ensures only secure connections to your website. * **X-Frame-Options:** Prevents other websites from embedding your site in an iframe (protects against clickjacking). * **X-Content-Type-Options:** Stops MIME-type sniffing, reducing the risk of code injection. * **Referrer-Policy:** Controls how much referrer information browsers send when navigating away from your site. * **Content-Security-Policy (CSP):** Mitigates XSS and other injection attacks by specifying allowed sources for content. * **X-XSS-Protection:** Enables browser protection against reflected XSS attacks. * **Permissions-Policy:** Controls access to features like camera, microphone, and geolocation. * **X-Permitted-Cross-Domain-Policies:** Restricts cross-domain resource sharing. * **Expect-CT:** Enforces certificate transparency. * **Feature-Policy:** Controls browser feature access. **Q. How do I use this plugin to add security headers to my website?** A. Once the plugin is installed and activated, go to **Settings > Security Headers** in your WordPress dashboard. You’ll find an interface where you can enable or disable each security header with a simple toggle switch. Save your changes, and the selected headers will be applied to your website’s HTTP responses. **Q. Does adding security headers affect website performance?** A. Generally, adding security headers has a minimal impact on website performance. Security headers are small pieces of data that add minimal overhead to each request. This plugin applies headers server-side without altering front-end content, ensuring minimal impact on load times and user experience. **Q. What should I do if a specific security header causes issues on my website?** A. If a security header interferes with website functionality (e.g., embedded third-party content), you can disable the problematic header from the **Settings > Security Headers** page in WordPress. Each header is independently configurable, so you can enable only those that best suit your website’s needs. **Q. Will this plugin prevent all types of attacks on my website?** A. Security headers provide a robust layer of protection against specific attacks, such as XSS and clickjacking, but they do not offer complete protection. We recommend using this plugin alongside other security practices, such as regular updates, strong passwords, and additional security plugins, to create a comprehensive security strategy. **Q. Are these security headers compatible with all browsers?** A. Most modern browsers support security headers, but compatibility can vary for older browsers. If you are concerned about compatibility, you can check each header’s browser support on resources like [Can I Use](https://caniuse.com/). This plugin applies standardized header values optimized for broad compatibility across major browsers. **Q. Does this plugin work with all themes and plugins?** A. Yes, the Security Header plugin is compatible with all WordPress themes and plugins. It operates by adding HTTP headers at the server level, which does not interfere with your website's front-end code, content, or styling. **Q. Do I need coding knowledge to use this plugin?** A. No, coding knowledge is not required. The plugin includes a user-friendly interface, allowing you to enable or disable headers with just a click. **Q. How do I uninstall this plugin, and what happens to the headers?** A. To uninstall, deactivate and delete the plugin from the **Plugins** menu in WordPress. Once the plugin is removed, all security headers it added will no longer be applied, and your website will revert to its previous configuration. **Q. I found an issue or have a feature request. Where can I report it?** A. We welcome feedback! Please contact us through [Inspired Monks Contact Us](https://inspiredmonks.com/contact-us/) to report any issues or suggest new features. Your input helps us improve the plugin for everyone. **Q. Can this plugin be used on a multisite WordPress installation?** A. Yes, this plugin is compatible with WordPress multisite installations. You can configure security headers individually for each site within the network, giving each site a custom security setup. == Changelog == = 2.0 = * Added Feature-Policy header. * Updated prefixes to improve compatibility and prevent conflicts. * Added protection to prevent direct file access. = 1.0 = * Initial release with core security headers: HSTS, X-Frame-Options, X-Content-Type-Options, and more. * Added support for `X-Permitted-Cross-Domain-Policies`, `Expect-CT`, and `Permissions-Policy` headers. * Improved overall structure and security. * Added `headers_sent()` checks to prevent "Headers already sent" errors. * Added `isset()` checks to avoid "Undefined array key" warnings for uninitialized options. * Enhanced security and stability. == Upgrade Notice == = 2.0 = Upgrade to the latest version for improved compatibility, additional Feature-Policy header support, and enhanced security. == Other Notes == For more information or to get in touch with the developer, visit [Inspired Monks Website](https://inspiredmonks.com).