HTTP Headers


HTTP Headers gives your control over the http headers returned by your blog or website.

Headers supported by HTTP Headers includes:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Age
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Cache-Control
  • Clear-Site-Data
  • Connection
  • Content-Encoding
  • Content-Type
  • Cross-Origin-Resource-Policy
  • Expect-CT
  • Expires
  • Feature-Policy
  • Pragma
  • P3P
  • Referrer-Policy
  • Report-To
  • Strict-Transport-Security
  • Timing-Allow-Origin
  • Vary
  • WWW-Authenticate
  • X-Content-Type-Options
  • X-DNS-Prefetch-Control
  • X-Download-Options
  • X-Frame-Options
  • X-Permitted-Cross-Domain-Policies
  • X-Powered-By
  • X-UA-Compatible
  • X-XSS-Protection

The getting started tutorial describes a typical configuration of this plugin.

Capturi ecran

  • This screenshot shows up the dashboard with categories of the supported headers.
  • This screenshot shows up the headers of a chosen category and their current values.
  • This screenshot shows up the settings page where you can adjust the security headers.
  • This screenshot shows up the response headers returned by the web server.


Upload the HTTP Headers plugin to your blog. Then activate it.

That’s all.

Întrebări frecvente

Why to use this plugin?

Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.

Who use these headers?

These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.


7 septembrie 2019
This plugin is just perfect! UX could be improved a bit. Have to click a lot hahah.
22 august 2019
Giving neutral rating of 3 because the problem could be me. Installed and activated .. but no change to security results using Mozilla Observatory. All settings were set to 'off' position so turned 'on' the ones failing MozObs test - re-ran scan - still showing no effect. Am I doing something wrong? Does it take time to work? Why does developer say just install and activate but all settings are automatically OFF?
4 august 2019
Fast support, the plugin does what it should. Nice would be a function where after installation all important settings for WordPress are taken over and only need to be adjusted. Better description would help, so that you do not have to search the Internet, but the support also helps fast.
15 mai 2019
The author tried to slip some new features into a bug-fix release and broke backward compatibility. I raised the issue in the support forum 2 weeks ago and have not yet received a response from the author. A scan of the support forum shows that he does not respond to most threads. In the meantime, the plugin fails to produce a Content-Security-Policy header, making it useless for my purposes. Furthermore, it fails silently; current users might not even notice that it's broken. Update 2019-04-20: changed rating from 1 star to 2 stars Update 2019-05-15 I have not only kept this plugin active on my site, I have also installed it on a second site. In fairness, despite my frustration with the author, I am bumping my review to 4 stars because it’s the best header plugin I could find.
Citește toate cele 25 de recenzii

Contributori și dezvoltatori

„HTTP Headers” este un software open-source. La acest modul au contribuit următoarele persoane.


Tradu „HTTP Headers” în limba ta.

Te interesează dezvoltarea?

Răsfoiește codul, vezi depozitarul SVN, sau abonează-te la jurnalul de dezvoltare prin RSS.

Istoric modificări


Release Date – 26th January, 2020

  • Added the „Cross-Origin-Resource-Policy” header
  • Removed the „Public-Key-Pins” header


Release Date – 25th November, 2019

  • CORS headers updated (added „Vary: Origin”)


Release Date – 15th September, 2019

  • Simple filtering was replaced with Dynamic filtering


Release Date – 1st September, 2019

  • Added the „Content-Type” header
  • Fixed the „Access-Control-Allow-Credentials” header
  • Improvement to „Access-Control-Allow-Headers” header
  • Improvement to „Access-Control-Allow-Methods” header
  • Improvement to „Access-Control-Expose-Headers” header
  • Improvement to „Cache-Control” header
  • Improvement to „Vary” header


Release Date – 14th July, 2019

  • Added the „always” condition to Header (unset) directive
  • Fixed the „import” function
  • Fixed the „Access-Control-Allow-Origin” header


Release Date – 16th June, 2019

  • Bugfix in „WWW-Authenticate” header
  • Added support of Apache 2.4


Release Date – 13th June, 2019

  • Bugfix in „Content-Encoding” header
  • Bugfix in „Vary” header


Release Date – 8th June, 2019

  • Added Brotli compression


Release Date – 7th June, 2019

  • Added „SameSite” to Cookie Security
  • Fixed import/export function
  • Code refactoring


Release Date – 5th April, 2019

  • UI improvement for Content-Security-Policy
  • Fix for Access-Control-Allow-Headers
  • Fix for Access-Control-Allow-Origin
  • Fix for Feature-Policy


Release Date – 9th January, 2019

  • Remove direct calls to cURL


Release Date – 5th January, 2019

  • Better handling of activate/deactivate functions


Release Date – 9th December, 2018

  • Added support of „Clear-Site-Data” header


Release Date – 6th November, 2018

  • Hotfix: parallel work with third-party plugins


Release Date – 30th September, 2018

  • Support of following Server APIs: CGI, FastCGI, PHP-FPM
  • Error handling improvement


Release Date – 8th August, 2018

  • HSTS improvement
  • CORS improvement


Release Date – 31st July, 2018

  • Export feature bug-fixed


Release Date – 18th July, 2018

  • Feature-Policy header update: new features added


Release Date – 17th July, 2018

  • Added support of „Feature-Policy” header


Release Date – 12th July, 2018

  • CORS bugfix


Release Date – 13th January, 2018

  • In-plugin security improvement


Release Date – 10th January, 2018

  • Bug fix


Release Date – 4th January, 2018

  • Security improvements


Release Date – 27th December, 2017

  • Updated translations


Release Date – 23th December, 2017

  • Added support of „Report-To” header
  • Added support of translations
  • Added support of Import/Export
  • Updated „Content-Security-Policy” header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
  • Updated „WWW-Authenticate” header (support multiple users)
  • Updated „Access-Control” headers (added list of origins)


Release Date – 31st August, 2017

  • Added support of „Timing-Allow-Origin” header
  • Added support of „X-Download-Options” header
  • Added support of „X-DNS-Prefetch-Control” header
  • Added support of „X-Permitted-Cross-Domain-Policies” header
  • Added support of Custom headers


Release Date – 18th August, 2017

  • PHP notice bugfixed


Release Date – 15th August, 2017

  • Added support of „Content-Security-Policy-Report-Only” header
  • Added support of „Public-Key-Pins-Report-Only” header
  • Added „1; report=” directive to the „X-XSS-Protection” header
  • Added „Inspect headers” tool
  • UI bugfixes


Release Date – 5th August, 2017

  • Added support of „Expect-CT” header


Release Date – 30th July, 2017

  • Added support of „Age” header
  • Added support of „Cache-Control” header
  • Added support of „Connection” header
  • Added support of „Content-Encoding” header
  • Added support of „Expires” header
  • Added support of „Pragma” header
  • Added support of „Vary” header
  • Added support of „WWW-Authenticate” header
  • Added support of „X-Powered-By” header
  • Added support of „Secure” and „HttpOnly” cookies


Release Date – 5th July, 2017

  • Added support of Apache (via htaccess) inclusion method


Release Date – 3rd June, 2017

  • Added support of Content-Security-Policy header
  • Added dashboard


Release Date – 28th April, 2017

  • Added support of Referrer-Policy header


Release Date – 13th February, 2017

  • Added support of ‘preload’ directive to HSTS header


Release Date – 8th November, 2016

  • Fixed typo in the X-Frame-Options header


Release Date – 20th May, 2016

  • Added support of P3P header


Release Date – 10th May, 2016

  • Initial version