HTTP Headers


HTTP Headers gives your control over the http headers returned by your blog or website.

Headers supported by HTTP Headers includes:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Age
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Cache-Control
  • Clear-Site-Data
  • Connection
  • Content-Encoding
  • Content-Type
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Expect-CT
  • Expires
  • Feature-Policy
  • NEL
  • Permissions-Policy
  • Pragma
  • P3P
  • Referrer-Policy
  • Report-To
  • Strict-Transport-Security
  • Timing-Allow-Origin
  • Vary
  • WWW-Authenticate
  • X-Content-Type-Options
  • X-DNS-Prefetch-Control
  • X-Download-Options
  • X-Frame-Options
  • X-Permitted-Cross-Domain-Policies
  • X-Powered-By
  • X-Robots-Tag
  • X-UA-Compatible
  • X-XSS-Protection


  • This screenshot shows up the dashboard with categories of the supported headers.
  • This screenshot shows up the headers of a chosen category and their current values.
  • This screenshot shows up the settings page where you can adjust the security headers.
  • This screenshot shows up the response headers returned by the web server.


Upload the HTTP Headers plugin to your blog. Then activate it.

That’s all.


Why to use this plugin?

Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.

Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.


24 de noviembre de 2022
Used this for years, it has been great but it needs updating for recent WP releases, and in particular for PHP 8.1 - there is some code that relied on earlier versions of PHP being forgiving or some common coding issues, which now breaks on an up to date system.
10 de octubre de 2022
Enhances the security of a WordPress site. Thanks for the developer for making this useful plugin, hopes he actively maintains this plugin.
21 de marzo de 2022
Not sure what's up with this, but every single save I made crashed my site. I rolled back and tried another setting... crashed my site. I removed the plugin, but I'll try in on another site and see what happens.
24 de febrero de 2022 1 reply
So, the plugin documentation doesn't do enough to communicate to a new user HOW it controls the HTTP response headers. It needs to talk about how it creates a .htaccess file for Apache web servers by default, and how it can be configured to modify a .user.ini file for PHP-FastCGI. It should also talk about how it produces configuration directives for NGINX web server, but you have to manually copy those directives into your web server's config file or it won't do anything. Since I use NGINX, this wasn't what we wanted, because we cannot cut Devops out of the process of adding/removing HTTP Headers. We want the business to be able to simply add a header to wordpress and be done. I just don't understand one thing. Why isn't it an option to just have the HTTP Header plugin make header('{header_name}: {header_value}'); calls within PHP for each request, instead of modifying a configuration file, so that it doesn't matter what web server you are using? And if it's not possible to add the headers with PHP code, then why can't we specify the location of the nginx.conf file for the plugin to modify, like we can for the .htaccess and .user.ini files?
Leer todas las 60 reseñas

Colaboradores y desarrolladores

«HTTP Headers» es un software de código abierto. Las siguientes personas han colaborado con este plugin.


«HTTP Headers» ha sido traducido a 2 idiomas locales. Gracias a los traductores por sus contribuciones.

Traduce «HTTP Headers» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios


Release Date – 28th May, 2023

  • Fixed: Remote Code Execution by an Admin user
  • Removed: Import/Export functions


Release Date – 23rd April, 2023

  • Fixed: Remote Code Execution by an Admin user


Release Date – 17th April, 2023

  • Fixed: SQL Injection by an Admin user
  • Fixed: Remote Code Execution by an Admin user
  • Few PHP 8.x compatible fixes


Release Date – 24th January, 2023

  • Fix CSP default value


Release Date – 22nd January, 2023

  • PHP 8 compatibility changes


Release Date – 30th April, 2021

  • Configurable paths to files who store passwords for basic/digest auth
  • Fixed issue with plugin activation, due missing file


Release Date – 30th April, 2021

  • Initial value of X-Robots-Tag fixed


Release Date – 30th April, 2021

  • Added “X-Robots-Tag” header
  • Added “interest-cohort”, “layout-animations”, “legacy-image-formats”, “oversized-images”, and “wake-lock” directive to “Permissions-Policy” header
  • Added “cross-origin” value to “Cross-Origin-Resource-Policy” header
  • Added “navigate-to” and “prefetch-src” directives to “Content-Security-Policy” header


Release Date – 24th April, 2021

  • Configurable paths to .htaccess and .user.ini files


Release Date – 29th October, 2020

  • Added “allow-downloads” and “allow-top-navigation-by-user-activation” to “sandbox” directive, part of CSP


Release Date – 20th September, 2020

  • Added “Permissions-Policy” header
  • Fixed “Cookie Security”


Release Date – 26th July, 2020

  • Added “Cross-Origin-Embedder-Policy” header
  • Added “Cross-Origin-Opener-Policy” header


Release Date – 23rd July, 2020

  • Fixed JS/CSS versioning


Release Date – 23rd July, 2020

  • Added the “NEL” header
  • Fixed the “Report-To” header


Release Date – 18th June, 2020

  • Fixed a PHP Notice at “Expires” page
  • Fixed comments in .user.ini file


Release Date – 9th May, 2020

  • Fixed the “Access-Control-Allow-Origin” header


Release Date – 26th January, 2020

  • Added the “Cross-Origin-Resource-Policy” header
  • Removed the “Public-Key-Pins” header


Release Date – 25th November, 2019

  • CORS headers updated (added “Vary: Origin”)


Release Date – 15th September, 2019

  • Simple filtering was replaced with Dynamic filtering


Release Date – 1st September, 2019

  • Added the “Content-Type” header
  • Fixed the “Access-Control-Allow-Credentials” header
  • Improvement to “Access-Control-Allow-Headers” header
  • Improvement to “Access-Control-Allow-Methods” header
  • Improvement to “Access-Control-Expose-Headers” header
  • Improvement to “Cache-Control” header
  • Improvement to “Vary” header


Release Date – 14th July, 2019

  • Added the “always” condition to Header (unset) directive
  • Fixed the “import” function
  • Fixed the “Access-Control-Allow-Origin” header


Release Date – 16th June, 2019

  • Bugfix in “WWW-Authenticate” header
  • Added support of Apache 2.4


Release Date – 13th June, 2019

  • Bugfix in “Content-Encoding” header
  • Bugfix in “Vary” header


Release Date – 8th June, 2019

  • Added Brotli compression


Release Date – 7th June, 2019

  • Added “SameSite” to Cookie Security
  • Fixed import/export function
  • Code refactoring


Release Date – 5th April, 2019

  • UI improvement for Content-Security-Policy
  • Fix for Access-Control-Allow-Headers
  • Fix for Access-Control-Allow-Origin
  • Fix for Feature-Policy


Release Date – 9th January, 2019

  • Remove direct calls to cURL


Release Date – 5th January, 2019

  • Better handling of activate/deactivate functions


Release Date – 9th December, 2018

  • Added support of “Clear-Site-Data” header


Release Date – 6th November, 2018

  • Hotfix: parallel work with third-party plugins


Release Date – 30th September, 2018

  • Support of following Server APIs: CGI, FastCGI, PHP-FPM
  • Error handling improvement


Release Date – 8th August, 2018

  • HSTS improvement
  • CORS improvement


Release Date – 31st July, 2018

  • Export feature bug-fixed


Release Date – 18th July, 2018

  • Feature-Policy header update: new features added


Release Date – 17th July, 2018

  • Added support of “Feature-Policy” header


Release Date – 12th July, 2018

  • CORS bugfix


Release Date – 13th January, 2018

  • In-plugin security improvement


Release Date – 10th January, 2018

  • Bug fix


Release Date – 4th January, 2018

  • Security improvements


Release Date – 27th December, 2017

  • Updated translations


Release Date – 23th December, 2017

  • Added support of “Report-To” header
  • Added support of translations
  • Added support of Import/Export
  • Updated “Content-Security-Policy” header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
  • Updated “WWW-Authenticate” header (support multiple users)
  • Updated “Access-Control” headers (added list of origins)


Release Date – 31st August, 2017

  • Added support of “Timing-Allow-Origin” header
  • Added support of “X-Download-Options” header
  • Added support of “X-DNS-Prefetch-Control” header
  • Added support of “X-Permitted-Cross-Domain-Policies” header
  • Added support of Custom headers


Release Date – 18th August, 2017

  • PHP notice bugfixed


Release Date – 15th August, 2017

  • Added support of “Content-Security-Policy-Report-Only” header
  • Added support of “Public-Key-Pins-Report-Only” header
  • Added “1; report=” directive to the “X-XSS-Protection” header
  • Added “Inspect headers” tool
  • UI bugfixes


Release Date – 5th August, 2017

  • Added support of “Expect-CT” header


Release Date – 30th July, 2017

  • Added support of “Age” header
  • Added support of “Cache-Control” header
  • Added support of “Connection” header
  • Added support of “Content-Encoding” header
  • Added support of “Expires” header
  • Added support of “Pragma” header
  • Added support of “Vary” header
  • Added support of “WWW-Authenticate” header
  • Added support of “X-Powered-By” header
  • Added support of “Secure” and “HttpOnly” cookies


Release Date – 5th July, 2017

  • Added support of Apache (via htaccess) inclusion method


Release Date – 3rd June, 2017

  • Added support of Content-Security-Policy header
  • Added dashboard


Release Date – 28th April, 2017

  • Added support of Referrer-Policy header


Release Date – 13th February, 2017

  • Added support of ‘preload’ directive to HSTS header


Release Date – 8th November, 2016

  • Fixed typo in the X-Frame-Options header


Release Date – 20th May, 2016

  • Added support of P3P header


Release Date – 10th May, 2016

  • Initial version