HTTP Security Header Plugin Documentation

HTTP Security Header by Inspired Monks is a powerful WordPress plugin designed to protect your website by adding critical HTTP security headers, hardening your site against common attacks such as XSS, clickjacking, MIME sniffing, and more.

It provides a simple, flexible admin panel to enable, disable, and customize security headers without touching server configuration files manually.

Features

✅ Easy-to-use WordPress Admin UI
✅ Enable/Disable headers individually
✅ Set default or custom header values
✅ Reset settings to default recommendations
✅ Disable all headers with one click
✅ Auto-activate essential headers on activation and updates
✅ Automatic validation of custom header values
✅ Lightweight, no unnecessary overhead
✅ Fully compatible with WP Rocket and major caching plugins
✅ Multisite compatible

Supported Security Headers

Installation

1. Download the plugin ZIP.
2. Upload it via Plugins > Add New > Upload Plugin in WordPress admin.
3. Activate the plugin.
4. Navigate to Settings > Security Headers to configure.

Default Behavior After Activation

• The following important headers are automatically enabled with safe defaults:
  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
• All other advanced headers (e.g., CSP, Permissions-Policy) are disabled initially and can be manually enabled as per your needs.

This ensures maximum compatibility without breaking your site.

Admin Panel Options

When you go to Settings → Security Headers, you will find:

1. Headers Configuration

• Each header has:
  • Disabled — No header will be sent
  • Default — Use a recommended default value
  • Custom — Enter your own custom header value

2. Save Settings

• Save the current configuration.

3. Reset to Default

• Resets important headers to "enabled" and disables all others.

4. Disable All Headers

• Turns off all headers with a single click.

Header Validation Rules

The plugin automatically validates custom inputs before sending headers:

• X-Frame-Options must be SAMEORIGIN, DENY, or start with ALLOW-FROM.
• X-Content-Type-Options must be nosniff.
• Referrer-Policy must contain only lowercase letters and hyphens.
• Content-Security-Policy must contain default-src and 'self'.
• Permissions-Policy must follow a key=value() structure.
• Expect-CT must contain max-age=.
• Cross-Origin headers must match allowed values (same-origin, cross-origin, require-corp, etc.).

Invalid custom values will automatically fallback to safe defaults.

Examples for Custom Values (Recommended Format)

Important Notes for Custom Headers

• Always test carefully when applying a Content-Security-Policy (CSP) or Permissions-Policy.
• Misconfiguring CSP can block essential resources like CSS or JavaScript.
• Use tools like Google CSP Evaluator to validate complex CSPs.

Frequently Asked Questions

Q1. Will it break my site?

• No, critical headers are set to safe defaults.
• Advanced headers like Content-Security-Policy are disabled by default to avoid unexpected issues.

Q2. Is this plugin multisite compatible?

• Yes, each site on the network can configure headers independently.

Q3. Can I disable all headers?

• Yes, a "Disable All" button is available in the settings panel.

Q4. Does it modify my .htaccess?

• No. It sets headers dynamically via PHP (WordPress send_headers hook).
• No filesystem access needed.
• Safe with all hosting providers.

Q5. Can I add custom CSP or Permissions-Policy?

• Yes. Select "Custom" for a header and enter your custom policy value in the input field.

Changelog Summary

Download & Support

• Download HTTP Security Header Plugin
• Support & Help Desk