Free Tool
Security Headers Generator
Generate HTTP security headers for WordPress and any website. Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, Permissions-Policy, and more.
Content-Security-PolicyControls which resources the browser can load
X-Frame-OptionsPrevents clickjacking attacks
X-Content-Type-OptionsPrevents MIME-type sniffing
X-XSS-ProtectionLegacy XSS filter (still recommended)
Strict-Transport-SecurityForces HTTPS connections
Referrer-PolicyControls referrer information sent with requests
Permissions-PolicyControls browser features (camera, mic, geolocation)
What Are HTTP Security Headers?
HTTP security headers are directives sent by your web server that tell browsers how to handle your site's content. They protect against common attacks like clickjacking, cross-site scripting (XSS), MIME sniffing, and data injection.
Most WordPress sites have zero security headers configured — leaving them vulnerable to attacks that are trivially preventable. Adding headers takes minutes and significantly improves your site's security posture.
Essential Security Headers Explained
- Content-Security-Policy (CSP): Controls which scripts, styles, and resources can load — the single most important security header
- X-Frame-Options: Prevents your site from being embedded in iframes — stops clickjacking attacks
- Strict-Transport-Security (HSTS): Forces browsers to always use HTTPS — prevents SSL stripping
- X-Content-Type-Options: Prevents browsers from MIME-sniffing — stops content-type attacks
- Referrer-Policy: Controls how much referrer information is shared with other sites
- Permissions-Policy: Controls which browser features (camera, mic, geolocation) your site can use