How to Add HTTP Security Headers in WordPress

What Are HTTP Security Headers?

With the use of HTTP security headers, your website’s server can thwart typical security risks before they have a chance to compromise your website.

Your web server replies to the user’s browser with an HTTP header when they visit your WordPress website. Browsers can learn about error codes, cache control, and other statuses from this response.

A status known as HTTP 200 is returned by the standard header response. The user’s browser then loads your webpage. On the other hand, your web server might transmit an alternative HTTP header if your website is experiencing problems.

Let’s quickly review some HTTP security headers and their role in safeguarding your WordPress website:

Web browsers are informed by HTTP Strict Transport Security (HSTS) that your website uses HTTPS and shouldn’t be loaded via an insecure protocol like HTTP.

• Header set Content-Security-Policy “upgrade-insecure-requests”
• Header set Strict-Transport-Security “max-age=31536000; includeSubDomains”
• Header set X-Xss-Protection “1; mode=block”
• Header set X-Frame-Options “SAMEORIGIN”
• Header set X-Content-Type-Options “nosniff”
• Header set Referrer-Policy “strict-origin-when-cross-origin” Header set Permissions-Policy “geolocation=self”

How to Add HTTP Security Headers in wp .htaccess

.htaccess

#header security
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
</IfModule>
#end header security

How to Check HTTP Security Headers for a Website

To check your website’s score, click this link: https://securityheaders.com/.