Security Headers
| 开发者 | joshme21 |
|---|---|
| 更新时间 | 2026年3月26日 19:33 |
| 捐献地址: | 去捐款 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 6.9.2 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Security Headers helps site owners manage modern browser security headers from inside WordPress.
Features include:
- Admin settings page under Settings > Security Headers
- HSTS controls with preload warning
- Referrer-Policy and X-Frame-Options settings
- Permissions-Policy custom value field
- Content-Security-Policy builder with Report-Only mode
- Diagnostics screen showing configured headers
- Test tool to fetch and inspect your live response headers
- Import, export, and reset settings tools
- Cleanup on uninstall
安装:
- Upload the plugin folder to
/wp-content/plugins/ - Activate the plugin in WordPress
- Go to Settings > Security Headers
- Save your preferred configuration
常见问题:
Is Content-Security-Policy enabled by default?
No. CSP is disabled by default because a strict policy can break scripts, styles, embeds, or third-party integrations if it is not configured carefully.
Should I use Report-Only mode first?
Yes. Report-Only mode is the safest way to start testing CSP because it reports problems without blocking resources.
Does HSTS work on HTTP sites?
No. HSTS should only be enabled when your site is fully available over HTTPS.
更新日志:
1.3.0
- Added diagnostics and live header testing tools in wp-admin.
- Added import, export, and reset tools for plugin settings.
- Added a configurable Content-Security-Policy builder with Report-Only support.
- Added uninstall cleanup for stored plugin options.
- Added a WordPress admin settings page under Settings > Security Headers.
- Added saved plugin options with sanitization and safer defaults.
- Connected PHP and Apache header output to the saved admin settings.
- Updated plugin metadata for modern WordPress compatibility.
- Removed deprecated legacy headers.
- Limited default headers to a conservative modern set to reduce breakage.
- Only sends HSTS on HTTPS requests.
- First release