A comprehensive WordPress plugin that generates proper security HTTP response headers, creates Content Security Policy configurations, and sets browser permissions to help protect your website against various security threats.
The Security Header Generator plugin provides a simplified way to implement security headers for your WordPress website, helping to mitigate attacks such as Cross-Site Scripting (XSS), data injection, and other common web vulnerabilities. The plugin generates appropriate security HTTP response headers and attempts to create a valid Content Security Policy based on your site's configuration.
- Content Security Policy (CSP) - Comprehensive CSP configuration with WordPress defaults
- Cross-Origin Resource Policy (CORP) - Control how resources are shared across origins
- Permissions Policy - Configure browser feature permissions
- Access Control Headers - CORS configuration support
- Expect-CT Header - Certificate Transparency enforcement
- Upgrade Insecure Requests - Force HTTPS connections
- Complete support for all modern CSP directives including:
script-src,style-src,img-src,font-src,connect-srcchild-src,manifest-src,object-src,worker-srcscript-src-elem,script-src-attr,style-src-elem,style-src-attrbase-uri,sandbox, and more
- Unsafe inline and unsafe eval settings for each directive
- WordPress defaults included for popular themes and plugins
- Configure permissions for modern browser APIs:
- Camera, microphone, geolocation
- Accelerometer, gyroscope, magnetometer
- USB, serial, HID device access
- Screen wake lock, idle detection
- Web share, publickey credentials
- And many more
- Export/Import Settings - Backup and restore your configurations
- Documentation - Built-in help and guidance
- REST API Support - Apply CSP headers to WordPress REST API
- Admin Separation - Different header configurations for admin vs frontend
- Server Identity Removal - Remove server advertising headers
- Navigate to Plugins > Add New in your WordPress dashboard
- Search for "Security Header Generator"
- Click Install Now and then Activate
- Download the plugin zip file
- Upload and extract to
/wp-content/plugins/security-header-generator/ - Activate the plugin through the Plugins menu in WordPress
- Download the plugin zip file
- Go to Plugins > Add New > Upload Plugin
- Choose the zip file and click Install Now
- Activate the plugin
- After activation, navigate to the plugin settings in your WordPress dashboard
- Start with the Standard Security Header tab to configure basic headers
- Use the Content Security Policy tab to configure CSP directives
- Check the Documentation tab for detailed guidance
Setting up CSP can be complex and requires careful attention:
- Initial Configuration: Browse your website thoroughly and track all external resources
- Add Sources: Include all legitimate sources in the plugin's CSP settings
- Test Thoroughly: Save settings and test your site functionality
- Iterate: Repeat the process multiple times to catch all resources
- Monitor: Some external resources load their own dependencies that won't appear until parent resources are allowed
Important: CSP configuration may require multiple iterations. External resources like iframes, scripts, and stylesheets can pull in their own external dependencies that won't be visible until the parent items are properly configured.
The plugin includes optimized WordPress defaults compatible with:
- Core WordPress (versions 5.6.10+)
- Popular Themes: Twenty Twenty series
- Popular Plugins: Gravity Forms
- WordPress: 5.6.10 or higher
- PHP: 8.1 or higher (PHP 8.4 compatible)
- WordPress Version Tested: Up to 6.9
This plugin provides a simplified way to set security headers for your website, helping to mitigate various types of attacks and improve your site's security posture.
A Content Security Policy is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
In the Standard Security Header tab, enable "upgrade insecure requests" and save your settings.
Yes! Use the Export/Import Settings tab to backup and restore your configurations.
Built-in documentation is available in the plugin settings under the Documentation tab.
For general support questions, please visit the WordPress.org plugin support forum.
For complex CSP configurations or professional assistance, contact the developer at: https://kevp.us/contact
Note: Due to the complexity and time required for proper CSP configuration, individual CSP setup assistance cannot be provided through the WordPress.org support forums.
The Security Header Generator is open source software. Contributions are welcome!
- Browse the code: Plugin Trac
- SVN Repository: Security Header Generator SVN
- Development Log: RSS Feed
Help translate the plugin into your language at WordPress Translate.
This plugin implements security best practices and is regularly updated to maintain compatibility with the latest WordPress versions and security standards. All headers and policies are implemented following current web security guidelines and MDN documentation.
This plugin is licensed under the GPL v3 or later.
Disclaimer: Proper security header configuration requires careful planning and testing. Always test thoroughly in a staging environment before applying to production sites. The complexity of Content Security Policy means multiple iterations may be required to achieve full compatibility with your site's resources.