Skip to content

Security Headers

Security Headers (PRO) tells modern browsers to enforce sensible safety rules - like blocking sneaky scripts and iframe tricks - with strong defaults you can tighten further for HSTS or content policies.

  • Emits selected headers on send_headers, login, admin, and REST responses.
  • Default-oriented toggles: X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), Referrer-Policy (value selectable).
  • X-XSS-Protection available but off by default (legacy; CSP preferred).
  • Optional HSTS with max-age and includeSubDomains (HTTPS only).
  • Optional Content-Security-Policy with report-only mode and custom policy text.
  • Headers are filterable via wpps_security_headers.

Enable it if:

  • The host does not already send a complete security header set.
  • You want clickjacking and MIME-sniffing protections with minimal setup.
  • You are ready to test CSP carefully (report-only first).

Default headers

  • Enable X-XSS-Protection (off by default)
  • Enable X-Frame-Options
  • Enable X-Content-Type-Options
  • Enable Referrer-Policy + value dropdown

Optional headers

  • Enable HSTS, Max-Age (seconds), Include subdomains
  • Enable Content-Security-Policy, Report-only mode, CSP value textarea
  1. Go to WP PowerSuite -> Modules -> Security.
  2. Toggle Security Headers on (PRO license required).
  3. Review default headers, enable optional HSTS/CSP only after staging tests, then save.
  • Enable X-Frame-Options and X-Content-Type-Options, save.
  • Load the front end and inspect response headers (browser devtools or curl).
  • ✅ Pass: X-Frame-Options: SAMEORIGIN and X-Content-Type-Options: nosniff are present.
  • For CSP, enable report-only first and watch the console for violations.
  • ❌ Fail: check for CDN/host headers overriding or stripping values; configure headers in only one place.
  • Site broken after CSP. Turn on report-only or disable CSP; widen the policy for required third-party hosts.
  • HSTS locked browsers to HTTPS. Only enable HSTS when SSL is solid; includeSubDomains only if every subdomain supports HTTPS.
  • Duplicate headers. Remove the same header from Cloudflare/host config or from this module.
What does Security Headers do?

It sends configurable HTTP security headers such as X-Frame-Options, nosniff, Referrer-Policy, and optional HSTS/CSP.

Is Security Headers free?

No. It is a PRO module and requires an active license.

Should I enable HSTS immediately?

Only if the site is fully HTTPS. Misconfigured HSTS can prevent HTTP access from browsers that remember the policy.

Is CSP safe to turn on in enforce mode first?

No. Use report-only mode on staging first; enforce mode can block scripts, styles, and embeds.

How do I turn Security Headers off?

Go to WP PowerSuite -> Modules, find Security Headers, and toggle it off.

Developer notes (hooks & filters)

Source: modules/advanced-security-headers/module.php. Boot: critical · context: admin, frontend, login, rest.

Hooks: send_headers, login_init, admin_init, rest_pre_serve_request, rest_api_init. Filter: wpps_security_headers.