Security Header Settings (Pro)
Security Header Settings is a Pro-exclusive feature that allows you to configure HTTP security headers directly from the admin dashboard.
Why Dashboard-Based Configuration Matters
Traditionally, configuring security headers required directly editing server configuration files (.htaccess or nginx.conf). This presents several challenges:
- Server administration knowledge is required
- Configuration mistakes can take the entire site down
- CSP configuration is complex — a single error can prevent the site from displaying correctly
- Shared hosting environments may restrict configuration access
Configurable Headers (10 Types)
Primary Headers
| Header | Function | Recommendation |
|---|---|---|
| Content-Security-Policy (CSP) | Control scripts/styles/images and other resources | Required |
| Strict-Transport-Security (HSTS) | Enforce HTTPS | Required |
| X-Content-Type-Options | Prevent MIME sniffing | Required |
| X-Frame-Options | Prevent clickjacking | Required |
| Referrer-Policy | Control referrer information | Recommended |
| Permissions-Policy | Restrict browser APIs | Recommended |
| X-XSS-Protection | Legacy XSS filter | Optional |
WordPress-Specific Removal Settings
| Setting | Target | Effect |
|---|---|---|
| Remove X-Powered-By | PHP version info | Hide server information |
| Remove X-Generator | WordPress version | Keep WP version private |
| Remove Server header | Web server info | Hide server type |
Security Levels (Presets)
Three presets are available to simplify the deployment of complex header configurations.
| Level | Contents | Target Audience |
|---|---|---|
| Basic | Minimum headers (HSTS, X-Content-Type-Options, X-Frame-Options) | First-time users |
| Standard | Basic + CSP (report mode), Referrer-Policy | Recommended for most sites |
| Strict | All headers with full policies applied | Security-focused sites |
Smart Scan
Smart Scan automatically scans the resources used on your site (scripts, stylesheets, images, fonts, etc.) before applying CSP headers, and generates an appropriate CSP policy.
How to Use
- Navigate to Security Header Settings → CSP section
- Click the Smart Scan button
- Each page of your site is scanned, and resource origins are listed
- Select Allow or Deny for each origin as needed
- Click Generate Policy
Learning Mode (CSP Report-Only)
CSP Learning Mode does not actually block resources — it only logs resources that would violate the policy in a report.
Deployment Steps
- Set CSP Mode to Report-Only (Learning)
- Operate the site for 1–2 weeks while collecting violation reports
- Review the CSP Violation Log to see which resources would have been blocked
- Add legitimate resources to the policy; exclude malicious ones
- Once violations have sufficiently decreased, switch to Enforce mode
CSP Violation Log
The CSP Violation Log in the admin dashboard displays:
- Violated Directive:
script-src,style-src, etc. - Blocked URI: The resource URL
- Page URL: The page where the violation occurred
- Occurrence Count: Aggregated count of identical violations
- Date/Time: Most recent occurrence
.htaccess Security
In Apache environments, a feature is available that outputs security headers directly to .htaccess. Since headers are set at the server level rather than the PHP level, they also apply to static files (images, CSS, JS).
Test Mode / Production Mode
| Mode | Behavior |
|---|---|
| Test Mode | Output to .htaccess.test for preview. No impact on production |
| Production Mode | Write directly to .htaccess. Takes effect immediately |
Notes
- Incorrect CSP settings can prevent your site's scripts and styles from loading. Always start with Learning Mode
- If you disable SSL after enabling HSTS, browsers will be unable to access your site
- Creating a backup of
.htaccessbefore making changes is recommended