HTTP Security Header by Inspired Monks is a powerful WordPress plugin designed to protect your website by adding critical HTTP security headers, hardening your site against common attacks such as XSS, clickjacking, MIME sniffing, and more.
It provides a simple, flexible admin panel to enable, disable, and customize security headers without touching server configuration files manually.
Features
✅ Easy-to-use WordPress Admin UI
✅ Enable/Disable headers individually
✅ Set default or custom header values
✅ Reset settings to default recommendations
✅ Disable all headers with one click
✅ Auto-activate essential headers on activation and updates
✅ Automatic validation of custom header values
✅ Lightweight, no unnecessary overhead
✅ Fully compatible with WP Rocket and major caching plugins
✅ Multisite compatible
Supported Security Headers
| Header | Description |
|---|---|
| Strict-Transport-Security (HSTS) | Enforces secure HTTPS connections |
| X-Frame-Options | Protects against clickjacking |
| X-Content-Type-Options | Prevents MIME-type sniffing |
| Referrer-Policy | Controls referrer information sent by the browser |
| Content-Security-Policy (CSP) | Prevents cross-site scripting (XSS) and data injection |
| Permissions-Policy | Controls access to browser features like camera, location |
| X-XSS-Protection | Cross-site scripting (legacy support) |
| X-Permitted-Cross-Domain-Policies | Restricts Adobe Flash cross-domain policy loading |
| Expect-CT | Enforces Certificate Transparency |
| Cross-Origin-Opener-Policy (COOP) | Isolates browsing contexts |
| Cross-Origin-Resource-Policy (CORP) | Controls resource sharing between origins |
| Cross-Origin-Embedder-Policy (COEP) | Securely loads cross-origin resources |
Installation
- Download the plugin ZIP.
- Upload it via Plugins > Add New > Upload Plugin in WordPress admin.
- Activate the plugin.
- Navigate to Settings > Security Headers to configure.
Default Behavior After Activation
- The following important headers are automatically enabled with safe defaults:
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- All other advanced headers (e.g., CSP, Permissions-Policy) are disabled initially and can be manually enabled as per your needs.
This ensures maximum compatibility without breaking your site.
Admin Panel Options
When you go to Settings → Security Headers, you will find:
1. Headers Configuration
- Each header has:
- Disabled — No header will be sent
- Default — Use a recommended default value
- Custom — Enter your own custom header value
2. Save Settings
- Save the current configuration.
3. Reset to Default
- Resets important headers to “enabled” and disables all others.
4. Disable All Headers
- Turns off all headers with a single click.
Header Validation Rules
The plugin automatically validates custom inputs before sending headers:
X-Frame-Optionsmust beSAMEORIGIN,DENY, or start withALLOW-FROM.X-Content-Type-Optionsmust benosniff.Referrer-Policymust contain only lowercase letters and hyphens.Content-Security-Policymust containdefault-srcand'self'.Permissions-Policymust follow a key=value() structure.Expect-CTmust containmax-age=.- Cross-Origin headers must match allowed values (
same-origin,cross-origin,require-corp, etc.).
Invalid custom values will automatically fallback to safe defaults.
Examples for Custom Values (Recommended Format)
| Header | Example Custom Value |
|---|---|
| Strict-Transport-Security (HSTS) | max-age=63072000; includeSubDomains; preload |
| X-Frame-Options | SAMEORIGIN or DENY or ALLOW-FROM https://example.com |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Content-Security-Policy | default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' 'unsafe-inline'; |
| Permissions-Policy | geolocation=(), microphone=(), camera=(), fullscreen=(self) |
| X-XSS-Protection | 1; mode=block |
| X-Permitted-Cross-Domain-Policies | none or master-only |
| Expect-CT | max-age=86400, enforce, report-uri="https://your-report-collector.com/report" |
| Cross-Origin-Opener-Policy | same-origin or same-origin-allow-popups |
| Cross-Origin-Resource-Policy | same-origin or cross-origin |
| Cross-Origin-Embedder-Policy | require-corp or unsafe-none |
Important Notes for Custom Headers
- Always test carefully when applying a Content-Security-Policy (CSP) or Permissions-Policy.
- Misconfiguring CSP can block essential resources like CSS or JavaScript.
- Use tools like Google CSP Evaluator to validate complex CSPs.
Frequently Asked Questions
Q1. Will it break my site?
- No, critical headers are set to safe defaults.
- Advanced headers like Content-Security-Policy are disabled by default to avoid unexpected issues.
Q2. Is this plugin multisite compatible?
- Yes, each site on the network can configure headers independently.
Q3. Can I disable all headers?
- Yes, a “Disable All” button is available in the settings panel.
Q4. Does it modify my .htaccess?
- No. It sets headers dynamically via PHP (WordPress
send_headershook). - No filesystem access needed.
- Safe with all hosting providers.
Q5. Can I add custom CSP or Permissions-Policy?
- Yes. Select “Custom” for a header and enter your custom policy value in the input field.
Changelog Summary
| Version | Changes |
|---|---|
| 3.0 | Major update. Auto-activate important headers. Disable advanced headers by default. Validation improvements. “Reset to Default” and “Disable All” functionality. |
| 2.2 | Improved compatibility with WP Rocket. Optimized CSP. Updated Permissions-Policy. |
| 2.1 | Added support for Cross-Origin headers. UI Enhancements. |
| 2.0.3 | Minor fixes. |
| 2.0.2 | Branding and name updates. |
| 2.0.1 | Improved dashboard UI, added modern styling. |
| 2.0 | Initial public release with feature headers support. |
