=== HTTP Security Header === Contributors: mohitgoyal1108 Tags: http security, security headers, WordPress security, server security, clickjacking Requires at least: 5.0 Tested up to: 6.7.1 Requires PHP: 7.0 Stable tag: 2.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Website: https://inspiredmonks.com Add essential HTTP security headers to protect your WordPress site from attacks and improve security. == Description == Security headers are essential for protecting your WordPress website against common attacks, including cross-site scripting (XSS), clickjacking, content sniffing, and certificate transparency issues. The Security Header plugin provides an easy interface to enable or disable essential security headers with just a few clicks. **Note:** Some security headers may not be fully supported by older browsers. We recommend using modern browsers like Chrome, Edge, or Firefox for optimal compatibility. **Key Features:** * HTTP Strict Transport Security (HSTS) * X-Frame-Options (Prevents clickjacking) * X-Content-Type-Options (Prevents MIME-type sniffing) * Referrer-Policy (Controls the referrer header information) * Content-Security-Policy (Restricts unauthorized content loading to protect against attacks like XSS) * X-XSS-Protection (Prevents Cross-Site Scripting attacks) * Permissions-Policy (Merged with Feature-Policy to control browser features) * X-Permitted-Cross-Domain-Policies (Restricts cross-domain resource sharing) * Expect-CT (Enforces certificate transparency) * Cross-Origin-Opener-Policy (Prevents cross-origin attacks by isolating browsing contexts) * Cross-Origin-Resource-Policy (Restricts sharing of resources across different origins) * Seamlessly compatible with WP-Rocket and similar caching plugins, ensuring that security headers remain effective. Easily toggle each security header from the WordPress admin panel to improve the security of your website without requiring manual code changes. == Screenshots == 1. **With Plugin**: Your website is secured with essential security headers. ![With Plugin](assets/screenshot-success.png) 2. **Without Plugin**: Your website is vulnerable to various security threats. ![Without Plugin](assets/screenshot-failed.png) == Features == * Easy-to-use settings page * Add or remove essential HTTP security headers with just a click * Supports all major security headers to secure your website * Helps mitigate a wide range of security vulnerabilities * Compatible with all WordPress themes and plugins * Each security header can be enabled/disabled independently * Directly modifies `.htaccess` for maximum server-level security == Installation == 1. Download the plugin and unzip the folder. 2. Upload the `security-header` folder to the `/wp-content/plugins/` directory. 3. Activate the plugin through the 'Plugins' menu in WordPress. 4. Go to **Settings > Security Headers** to configure the plugin options. == Frequently Asked Questions == = What security headers can I enable with this plugin? = You can enable the following security headers: - HTTP Strict Transport Security (HSTS) - X-Frame-Options - X-Content-Type-Options - Referrer-Policy - Content-Security-Policy (CSP) - X-XSS-Protection - Permissions-Policy (Merged with Feature-Policy) - X-Permitted-Cross-Domain-Policies - Expect-CT - Cross-Origin-Opener-Policy (COOP) - Cross-Origin-Resource-Policy (CORP) = Does this plugin work with WP-Rocket? = Yes, the plugin is fully compatible with WP-Rocket. It ensures that security headers are preserved even when WP-Rocket caching is enabled by directly modifying the `.htaccess` file. = Does this plugin work with all themes? = Yes, this plugin works with all WordPress themes, as it modifies the HTTP headers sent by your web server without affecting the content or styling of your site. = Does this plugin modify the .htaccess file directly? = Yes, the plugin modifies the .htaccess file to set headers at the server level, ensuring maximum security. This method provides robust header implementation while maintaining compatibility with caching plugins. = Are these headers compatible with all browsers? = Most modern browsers, including Chrome, Edge, Firefox, and Safari, support these security headers. However, some older browsers may not fully support certain headers like Content-Security-Policy (CSP) or Permissions-Policy. To ensure maximum security, we recommend using a modern browser and checking header compatibility at [Can I Use](https://caniuse.com/). = Is coding knowledge required to use this plugin? = No coding knowledge is required. The plugin provides a simple admin interface where you can enable or disable headers with just a click. = How do I know if the headers are working? = You can use tools like [InspiredMonks.com](https://inspiredmonks.com/check-security-headers/) or browser developer tools to inspect the HTTP headers and confirm that your settings are applied correctly. = What should I do if a security header is causing an issue? = If a specific header is interfering with your website or a third-party service, you can disable it from the **Settings > Security Headers** page. Each header is independently configurable, so you can toggle only the ones you need. = Does this plugin affect website performance? = Adding security headers generally has a minimal impact on performance. The headers are small in size and add a negligible amount of data to each request. This plugin only sets headers at the server level without altering front-end content or site functionality. = Can I use this plugin on a multisite installation? = Yes, the Security Header plugin is compatible with WordPress multisite installations. However, you’ll need to configure security headers individually for each site in the network. = Will this plugin prevent all types of attacks? = While security headers provide a robust layer of protection against specific attack vectors (e.g., XSS, clickjacking), they are not a complete security solution. Using this plugin in combination with other security practices, such as regular updates, strong passwords, and security plugins, is recommended. = How do I uninstall the plugin, and what happens to the headers? = To uninstall, simply deactivate and delete the plugin from the **Plugins** menu. All headers set by the plugin will be removed, restoring your website to its previous state. == Changelog == = 2.2 = * Merged Feature-Policy with Permissions-Policy. * Enhanced `.htaccess` update mechanism for direct server-level security. * Improved default Content-Security-Policy (CSP) with standardized directives. * Fixed validation issues for Permissions-Policy. * Resolved caching-related issues and added full compatibility with WP-Rocket. * Bug fixes and compatibility updates. = 2.1 = * Added support for Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Resource-Policy (CORP) headers. * Updated the plugin interface for improved user experience. * Bug fixes and improvements. = 2.0.3 = * Minor improvements and compatibility updates. = 2.0.2 = * Updated plugin name to "HTTP Security Header". * Minor improvements and compatibility updates. = 2.0.1 = * Added new screenshots to demonstrate website security before and after using the plugin. * Updated the settings page layout to use a modern div-based structure instead of a table. * Applied styling to checkboxes for a sleek, modern look. * Improved overall user interface and experience on the admin dashboard. * Minor bug fixes and code optimizations. = 2.0 = * Added Feature-Policy header. * Updated prefixes to improve compatibility and prevent conflicts. * Added protection to prevent direct file access. = 1.0 = * Initial release with core security headers: HSTS, X-Frame-Options, X-Content-Type-Options, and more. * Added support for `X-Permitted-Cross-Domain-Policies`, `Expect-CT`, and `Permissions-Policy` headers. * Enhanced security and stability. == Upgrade Notice == = 2.2 = Upgrade to version 2.2 for improved server-level security, seamless WP-Rocket compatibility, optimized Content-Security-Policy (CSP) handling, and unified Permissions-Policy support. After upgrading, save your plugin settings and clear your cache to apply the changes immediately.