A WordPress plugin that allows you to easily control HTTP response headers of your website.
Donate link: https://www.paypal.me/Dimitar81
Requires at least: 3.2
Tested up to: 6.3.1
Requires PHP: 5.3
Stable tag: 1.19.1
License: GPLv2 or later
HTTP Headers gives your control over the http headers returned by your blog or website.
Headers supported by HTTP Headers includes:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- Access-Control-Expose-Headers
- Age
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Cache-Control
- Clear-Site-Data
- Connection
- Content-Encoding
- Content-Type
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Expect-CT
- Expires
- Feature-Policy
- NEL
- Permissions-Policy
- Pragma
- P3P
- Referrer-Policy
- Report-To
- Strict-Transport-Security
- Timing-Allow-Origin
- Vary
- WWW-Authenticate
- X-Content-Type-Options
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Powered-By
- X-Robots-Tag
- X-UA-Compatible
- X-XSS-Protection
Upload the HTTP Headers plugin to your blog. Then activate it.
That's all.
Nowadays security of your social data at the web is essential. This plugin helps you to improve your website overall security.
These HTTP headers are being used in production services by popular websites as Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest.
Updates are on they way, so stay tuned at @DimitarIvanov
Release Date - 2nd September, 2023
- Added "clientHints" directive to "Clear-Site-Data" header
- Added "credentialless" directive to "Cross-Origin-Embedder-Policy" header
Release Date - 7th July, 2023
- Fixed: SSRF vulnerability by an Admin user
- Fixed: XSS vulnerability by an Admin user
Release Date - 11th June, 2023
- Fixed: Remote Code Execution by an Admin user
Release Date - 28th May, 2023
- Fixed: Remote Code Execution by an Admin user
- Removed: Import/Export functions
Release Date - 23rd April, 2023
- Fixed: Remote Code Execution by an Admin user
Release Date - 17th April, 2023
- Fixed: SQL Injection by an Admin user
- Fixed: Remote Code Execution by an Admin user
- Few PHP 8.x compatible fixes
Release Date - 24th January, 2023
- Fix CSP default value
Release Date - 22nd January, 2023
- PHP 8 compatibility changes
Release Date - 30th April, 2021
- Configurable paths to files who store passwords for basic/digest auth
- Fixed issue with plugin activation, due missing file
Release Date - 30th April, 2021
- Initial value of X-Robots-Tag fixed
Release Date - 30th April, 2021
- Added "X-Robots-Tag" header
- Added "interest-cohort", "layout-animations", "legacy-image-formats", "oversized-images", and "wake-lock" directive to "Permissions-Policy" header
- Added "cross-origin" value to "Cross-Origin-Resource-Policy" header
- Added "navigate-to" and "prefetch-src" directives to "Content-Security-Policy" header
Release Date - 24th April, 2021
- Configurable paths to .htaccess and .user.ini files
Release Date - 29th October, 2020
- Added "allow-downloads" and "allow-top-navigation-by-user-activation" to "sandbox" directive, part of CSP
Release Date - 20th September, 2020
- Added "Permissions-Policy" header
- Fixed "Cookie Security"
Release Date - 26th July, 2020
- Added "Cross-Origin-Embedder-Policy" header
- Added "Cross-Origin-Opener-Policy" header
Release Date - 23rd July, 2020
- Fixed JS/CSS versioning
Release Date - 23rd July, 2020
- Added the "NEL" header
- Fixed the "Report-To" header
Release Date - 18th June, 2020
- Fixed a PHP Notice at "Expires" page
- Fixed comments in .user.ini file
Release Date - 9th May, 2020
- Fixed the "Access-Control-Allow-Origin" header
Release Date - 26th January, 2020
- Added the "Cross-Origin-Resource-Policy" header
- Removed the "Public-Key-Pins" header
Release Date - 25th November, 2019
- CORS headers updated (added "Vary: Origin")
Release Date - 15th September, 2019
- Simple filtering was replaced with Dynamic filtering
Release Date - 1st September, 2019
- Added the "Content-Type" header
- Fixed the "Access-Control-Allow-Credentials" header
- Improvement to "Access-Control-Allow-Headers" header
- Improvement to "Access-Control-Allow-Methods" header
- Improvement to "Access-Control-Expose-Headers" header
- Improvement to "Cache-Control" header
- Improvement to "Vary" header
Release Date - 14th July, 2019
- Added the "always" condition to Header (unset) directive
- Fixed the "import" function
- Fixed the "Access-Control-Allow-Origin" header
Release Date - 16th June, 2019
- Bugfix in "WWW-Authenticate" header
- Added support of Apache 2.4
Release Date - 13th June, 2019
- Bugfix in "Content-Encoding" header
- Bugfix in "Vary" header
Release Date - 8th June, 2019
- Added Brotli compression
Release Date - 7th June, 2019
- Added "SameSite" to Cookie Security
- Fixed import/export function
- Code refactoring
Release Date - 5th April, 2019
- UI improvement for Content-Security-Policy
- Fix for Access-Control-Allow-Headers
- Fix for Access-Control-Allow-Origin
- Fix for Feature-Policy
Release Date - 9th January, 2019
- Remove direct calls to cURL
Release Date - 5th January, 2019
- Better handling of activate/deactivate functions
Release Date - 9th December, 2018
- Added support of "Clear-Site-Data" header
Release Date - 6th November, 2018
- Hotfix: parallel work with third-party plugins
Release Date - 30th September, 2018
- Support of following Server APIs: CGI, FastCGI, PHP-FPM
- Error handling improvement
Release Date - 8th August, 2018
- HSTS improvement
- CORS improvement
Release Date - 31st July, 2018
- Export feature bug-fixed
Release Date - 18th July, 2018
- Feature-Policy header update: new features added
Release Date - 17th July, 2018
- Added support of "Feature-Policy" header
Release Date - 12th July, 2018
- CORS bugfix
Release Date - 13th January, 2018
- In-plugin security improvement
Release Date - 10th January, 2018
- Bug fix
Release Date - 4th January, 2018
- Security improvements
Release Date - 27th December, 2017
- Updated translations
Release Date - 23th December, 2017
- Added support of "Report-To" header
- Added support of translations
- Added support of Import/Export
- Updated "Content-Security-Policy" header (added directives: object-src, frame-src, worker-src, manifest-src, base-uri, report-to)
- Updated "WWW-Authenticate" header (support multiple users)
- Updated "Access-Control" headers (added list of origins)
Release Date - 31st August, 2017
- Added support of "Timing-Allow-Origin" header
- Added support of "X-Download-Options" header
- Added support of "X-DNS-Prefetch-Control" header
- Added support of "X-Permitted-Cross-Domain-Policies" header
- Added support of Custom headers
Release Date - 18th August, 2017
- PHP notice bugfixed
Release Date - 15th August, 2017
- Added support of "Content-Security-Policy-Report-Only" header
- Added support of "Public-Key-Pins-Report-Only" header
- Added "1; report=" directive to the "X-XSS-Protection" header
- Added "Inspect headers" tool
- UI bugfixes
Release Date - 5th August, 2017
- Added support of "Expect-CT" header
Release Date - 30th July, 2017
- Added support of "Age" header
- Added support of "Cache-Control" header
- Added support of "Connection" header
- Added support of "Content-Encoding" header
- Added support of "Expires" header
- Added support of "Pragma" header
- Added support of "Vary" header
- Added support of "WWW-Authenticate" header
- Added support of "X-Powered-By" header
- Added support of "Secure" and "HttpOnly" cookies
Release Date - 5th July, 2017
- Added support of Apache (via htaccess) inclusion method
Release Date - 3rd June, 2017
- Added support of Content-Security-Policy header
- Added dashboard
Release Date - 28th April, 2017
- Added support of Referrer-Policy header
Release Date - 13th February, 2017
- Added support of 'preload' directive to HSTS header
Release Date - 8th November, 2016
- Fixed typo in the X-Frame-Options header
Release Date - 20th May, 2016
- Added support of P3P header
Release Date - 10th May, 2016
- Initial version