chrisdavidmiles · June 12, 2025 23:57
diff --git a/security-headers.php b/security-headers.php
 <?php
 /*
 Plugin Name: Security Headers
 Description: Adds security-related HTTP headers to your WordPress site.
 Version: 1.0
 Update URI: false
 */

 defined('ABSPATH') || exit; // Exit if accessed directly

 class Security_Headers {

    public function __construct() {
        add_action('send_headers', [$this, 'set_security_headers']);
    }

    public function set_security_headers() {

        /*
         * X-Content-Type-Options: nosniff
         * Prevents browsers from MIME-sniffing a response away from the declared content-type.
         * Helps prevent MIME-based attacks.
         */
        header('X-Content-Type-Options: nosniff');



        /*
         * X-Frame-Options: SAMEORIGIN
         * Prevents your site from being embedded in iframes on other domains.
         * Helps protect against clickjacking attacks.
         * Possible values: DENY, SAMEORIGIN, ALLOW-FROM uri
         */
        header('X-Frame-Options: SAMEORIGIN');



        /*
         * X-XSS-Protection: 1; mode=block
         * Enables built-in browser XSS filtering and blocks detected attacks.
         * Note: Modern browsers have deprecated this header in favor of CSP.
         */
        header('X-XSS-Protection: 1; mode=block');



        /*
         * Referrer-Policy: strict-origin-when-cross-origin
         * Controls how much referrer information browsers send with requests.
         * Helps protect user privacy.
         * Possible values: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
         */
        header('Referrer-Policy: strict-origin-when-cross-origin');



        /*
         * Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
         * Forces browsers to connect via HTTPS only for the specified duration.
         * Helps prevent man-in-the-middle attacks.
         * Only enable if your site fully supports HTTPS.
         */
        header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');



        /*
         * Permissions-Policy: geolocation=(), microphone=(), camera=()
         * Controls which browser features and APIs can be used on your site.
         * Helps protect user privacy by disabling unwanted browser features.
         * Adjust according to your site's needs.
         */
        header('Permissions-Policy: geolocation=(), microphone=(), camera=()');



        /*
         * Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
         * Defines allowed sources for various types of content (scripts, styles, images, etc.).
         * Helps mitigate cross-site scripting (XSS) and other injection attacks.
         * Adjust carefully according to your site's needs, as overly strict policies may break functionality.
         */
        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");



        /*
         * Cross-Origin-Embedder-Policy: require-corp
         * Ensures your site can only load resources explicitly marked as cross-origin.
         * Useful for advanced isolation features.
         * May break third-party embeds if not configured correctly.
         */
        header('Cross-Origin-Embedder-Policy: require-corp');



        /*
         * Cross-Origin-Opener-Policy: same-origin
         * Isolates your browsing context from cross-origin documents.
         * Helps prevent cross-origin attacks.
         */
        header('Cross-Origin-Opener-Policy: same-origin');



        /*
         * Cross-Origin-Resource-Policy: same-origin
         * Restricts cross-origin resource sharing to same-origin only.
         * Helps prevent unauthorized cross-origin resource loading.
         */
        header('Cross-Origin-Resource-Policy: same-origin');

    }

 }

 new Security_Headers();
	<?php
	/*
	Plugin Name: Security Headers
	Description: Adds security-related HTTP headers to your WordPress site.
	Version: 1.0
	Update URI: false
	*/

	defined('ABSPATH') \|\| exit; // Exit if accessed directly

	class Security_Headers {

	public function __construct() {
	add_action('send_headers', [$this, 'set_security_headers']);
	}

	public function set_security_headers() {

	/*
	* X-Content-Type-Options: nosniff
	* Prevents browsers from MIME-sniffing a response away from the declared content-type.
	* Helps prevent MIME-based attacks.
	*/
	header('X-Content-Type-Options: nosniff');



	/*
	* X-Frame-Options: SAMEORIGIN
	* Prevents your site from being embedded in iframes on other domains.
	* Helps protect against clickjacking attacks.
	* Possible values: DENY, SAMEORIGIN, ALLOW-FROM uri
	*/
	header('X-Frame-Options: SAMEORIGIN');



	/*
	* X-XSS-Protection: 1; mode=block
	* Enables built-in browser XSS filtering and blocks detected attacks.
	* Note: Modern browsers have deprecated this header in favor of CSP.
	*/
	header('X-XSS-Protection: 1; mode=block');



	/*
	* Referrer-Policy: strict-origin-when-cross-origin
	* Controls how much referrer information browsers send with requests.
	* Helps protect user privacy.
	* Possible values: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
	*/
	header('Referrer-Policy: strict-origin-when-cross-origin');



	/*
	* Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
	* Forces browsers to connect via HTTPS only for the specified duration.
	* Helps prevent man-in-the-middle attacks.
	* Only enable if your site fully supports HTTPS.
	*/
	header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');



	/*
	* Permissions-Policy: geolocation=(), microphone=(), camera=()
	* Controls which browser features and APIs can be used on your site.
	* Helps protect user privacy by disabling unwanted browser features.
	* Adjust according to your site's needs.
	*/
	header('Permissions-Policy: geolocation=(), microphone=(), camera=()');



	/*
	* Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
	* Defines allowed sources for various types of content (scripts, styles, images, etc.).
	* Helps mitigate cross-site scripting (XSS) and other injection attacks.
	* Adjust carefully according to your site's needs, as overly strict policies may break functionality.
	*/
	header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");



	/*
	* Cross-Origin-Embedder-Policy: require-corp
	* Ensures your site can only load resources explicitly marked as cross-origin.
	* Useful for advanced isolation features.
	* May break third-party embeds if not configured correctly.
	*/
	header('Cross-Origin-Embedder-Policy: require-corp');



	/*
	* Cross-Origin-Opener-Policy: same-origin
	* Isolates your browsing context from cross-origin documents.
	* Helps prevent cross-origin attacks.
	*/
	header('Cross-Origin-Opener-Policy: same-origin');



	/*
	* Cross-Origin-Resource-Policy: same-origin
	* Restricts cross-origin resource sharing to same-origin only.
	* Helps prevent unauthorized cross-origin resource loading.
	*/
	header('Cross-Origin-Resource-Policy: same-origin');

	}

	}

	new Security_Headers();