Security Header Generator


This plugin generates the proper security HTTP response headers, attempts to generate a valid Content Security Policy, and sets browser permissions if configured.

Zrzuty ekranu

  • Standard Header Settings
  • Content Security Policy Settings
  • Permissions Settings
  • Documentation
  • Import/Export Settings
  • Headers Set


  1. Download the plugin, unzip it, and upload to your sites /wp-content/plugins/ directory
    1. You can also upload it directly to your Plugins admin
  2. Activate the plugin through the 'Plugins’ menu in WordPress

Najczęściej zadawane pytania

What is a Content Security Policy?

A Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.


2021-12-18 1 odpowiedź
Easy and Fast configuration. Don’t block image and Divi
Przeczytaj 5 recenzji

Kontrybutorzy i deweloperzy

„Security Header Generator” jest oprogramowaniem open source. Poniższe osoby miały wkład w rozwój wtyczki.


Rejestr zmian


  • Verified: WP Core 6.6 Compatibility
  • Updated: settings fw: Fixed: PHP 8.x deprecated notices.
  • Updated: Documentation
  • Removed: references to implementation to avoid confusion


  • Removed: CLI Generator
  • Verified: WP Core 6.5 Compatibility
  • Add: Apply CSP to REST API
    • Please be aware, once this is switched on it will also be active for the admin area of the site.
    • Hook: wpsh_send_restapi_headers


  • Verified: Core Version 6.4 compliant
  • Remove: navigate-to directive for Content Security Policy
    • Per: no longer supported in any browser
  • Add: report-to directive for Content Security Policy
    • Please be aware, this directive currently does nothing in Firefox and Safari
  • Updated: WordPress Defaults. Compliant ONLY with the following:
    • Plugins: Gravity Forms
    • Themes: Twenty Twenty, Twenty Twenty-One, Twenty Twenty-Two, Twenty Twenty-Three
  • Updated: WordPress Core version requirements to 5.6.10


  • Fix: Autofill on Basic Auth fields
  • Add: Access-Control-Allow-Methods header
    • Default: GET, POST, HEAD
      • These are WordPress default allowable methods for the REST API
    • Hook: wpsh_acam_header
  • Add: Access-Control-Allow-Credentials
    • Default: true
    • Hook: wpsh_acac_header
  • Updated: Documentation


  • Update: Documentation
  • Fix: Autoloader not including the settings
    • NOTE I had to manually include them, but not anymore 🙂
  • Add: Directives to the COEP
    • require-corp and unsafe-none
    • NOTE require-corp will require you to configure the Cross-Origin-Resource-Policy header
  • Remove older versions


  • Fix: Deprecation notice in CLI
  • Fix: Deprecated get_page_by_title
  • Optimize: Class loading with Composers autoloader and it’s optimizations
  • Updated: JS libraries (codemirror, leaflet, etc).
  • Improved: Some JS and CSS coding.


  • Fix: PHP 8.1 deprecation notice on rtrim
  • Add: Cross-Origin-Resource-Policy header
    • Default: same-origin
    • Hook: wpsh_corp_header


  • Fix: CSP Headers being set in admin when not configured to do so
    • change in WP core send_headers or admin_init actions between Core 6.2 and Core 6.2.2
  • Add: More concise boolean checks
  • Add: Option for applying Content Security Policy headers to admin separately from primary security headers application setting
  • Add: Option for applying Feature Policy headers to admin separately from primary security headers application setting
  • Fix: Default CSP Script and Styles headers WP Defaults
  • Remove: Implementation page in settings
    • No longer a need for this
  • Update: Documentation for the above


  • Remove: document-domain from the Permissions-Policy header
    • no longer supported:
  • Remove: execution-while-not-rendered from the Permissions-Policy header
    • no longer supported:
  • Remove: execution-while-out-of-viewport from the Permissions-Policy header
    • no longer supported:
  • Remove: navigation-override from the Permissions-Policy header
    • completely removed
  • Remove: gamepad from the Permissions-Policy header
    • no longer supported:
  • Remove: The FLoC Permission Policy.
    • completely removed
  • Add: hid to the Permissions-Policy Header
  • Add: identity-credentials-get to the Permissions-Policy Header
  • Add: idle-detection to the Permissions-Policy Header
  • Add publickey-credentials-create to the Permissions-Policy Header
  • Add screen-wake-lock to the Permissions-Policy Header
  • Add serial to the Permissions-Policy Header
  • Add web-share to the Permissions-Policy Header


  • Remove: prefetch-src from the Content-Security-Policy
    • no longer supported:


  • Fix: Implementation Page
    • now accurately reflects the confguration set


  • Verify: Up to 6.3 Compliant
  • Fix: PHP 8.2 deprecation notices in field Framework


  • Test: Up to 6.2 compliant


  • Add: setting for allowing an access control origin
    • This should help out with CORS issues, especially from google


  • Fix: PHP 8 warning messages
    • Warning: Undefined array key "Permissions-Policy"
  • Fix: PHP 8 fatal error on special circumstance
    • KCP_CSPGEN_Headers::kp_get_generated_csp(): Return value must be of type array, string returned


  • Test: Up to 6.1.2 compliant
  • Fixed: Directory traversal in plugin
  • Fixed: Added check/uncheck all option for checkbox field.
  • Updated: Google Web Fonts array added new fonts.
  • Updated: JS libraries (codemirror, leaflet, etc).
  • Improved: Some JS and CSS coding.


  • Test: Up to 6.1.1 compliant
  • Remove: Server identifiers removers.
  • Rework: Broke out the front-end and admin headers to separate methods
  • Fix: Check for duplicate headers, or already set headers


  • Fix: Typo in versioning


  • Test: Up to 6.0.2 compliant
  • Tech: force PHP 7.4 minimum
  • Remove: Upgrader hook
    • this is no longer needed
  • Remove: X-XSS-Protection Header
    • was depracated in version 2.2.13. Only compatible browsers as of 7/14/2022 are Edge and and Safari
      Use CSP to mitigate XSS


  • Test: Up to 6.0 compliant
  • Test: Up to PHP 8.1 Compliant
  • New: Plugin Icon =)
  • Updated: Settings Field Framework
    • Added: Number field „min”, „max”, „step” options.
    • Updated: Google Web Fonts array added new fonts.
    • Updated: JS libraries (codemirror, leaflet, etc).
    • Improved: Group field „custom title and prefix” option (samples added).
    • Improved: Some JS and CSS coding.


  • Fix: Eval and Inline for empty directives


  • Fix: Forgot a debugging var_dump… SMH


  • Fix: Include blank directives:
    • Even if the directives are blank for the CSP, they should still be included with the 'self’ flag
  • Test: Up to 5.9.2 compliant
  • Fix: CLI performance.
    • Was timing out, then skipping some directives on larger sites.


  • Fix: Default WP CSP headers not being set
  • Fix: Implementation now includes Default WP
  • Feature: Implement debug check to queue unminified style and scripts
  • Fix: Implementation from the CLI pulls


  • Update: Settings framework


  • Fix: OR to ||
    • forgot about it in the main plugin file
  • Update: translatable resources
    • New: /languages/security-header-generator.pot


  • Fix: Array issue
  • Fix: Strict typing issue


  • Feature: Implement post update hook to try to properly migrate existing settings to the new format
  • Update: Change exportable/importable settings names, more legible
    • While I will do my best to automate this, please note it may not be perfect… I am only human after all 😉
    • If you export your settings before updating, you can import them again after updating and the below will be
      taken care of for you.
    • Just in case it does not work 100%, please export your settings before updating to this version and
      perform a search and replace for the string to remove it:

      • Search: „kp_cspgen_”
      • Replace: null|nothing|empty
    • NOTE: If you do not export your settings I will not guarantee that you will not have to reconfigure the plugin.
      Although… I did take a backup 😉 You will need to hop into your database to grab it though, it will be in your
      options table, and it is called: wpsh_TEMP_settings. I will have this automatically removed in a future update
  • Add: Option to remove server advertising.
  • Add: Expect-CT header
    • The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
      to prevent the use of misissued certificates for that site from going unnoticed.
    • Doc:
    • Hook: wpsh_expectct_header
  • Updated: Feature Policies.
    • Removed the following: battery, layout-animations, legacy-image-formats, oversized-images, screen-wake-lock,
      unoptimized-images, unsized-media, web-share
    • The above no longer have any browser support.
    • Added: Descriptive descriptions for each directive
  • Updated: Content Security Policy
    • Added: the following fetch directives:
      • child-src, manifest-src, object-src, prefetch-src, script-src-elem,
        script-src-attr, style-src-elem, style-src-attr, worker-src, navigate-to
    • Added: Unsafe Inline and Unsafe Eval settings on each CSP directive
    • Added: Descriptive descriptions for each directive
    • Reworked: Settings for the entire section, which of course caused me to rewrite the way they are implemented.