Security Header Generator


This plugin generates the proper security HTTP response headers, attempts to generate a valid Content Security Policy, and sets browser permissions if configured.


  • Standard Header Settings
  • Content Security Policy Settings
  • Permissions Settings
  • Documentation
  • Import/Export Settings
  • Headers Set


  1. Download the plugin, unzip it, and upload to your sites /wp-content/plugins/ directory
    1. You can also upload it directly to your Plugins admin
  2. Activate the plugin through the ‘Plugins’ menu in WordPress


What is a Content Security Policy?

A Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.


18 de diciembre, 2022 1 reply
The plugin does what it promises. Thank you for this work.
18 de diciembre, 2021 1 reply
Easy and Fast configuration. Don’t block image and Divi
Read all 5 reviews

Contributors & Developers

“Security Header Generator” is open source software. The following people have contributed to this plugin.




  • Verified: WP Core 6.6 Compatibility
  • Updated: settings fw: Fixed: PHP 8.x deprecated notices.
  • Updated: Documentation
  • Removed: references to implementation to avoid confusion


  • Removed: CLI Generator
  • Verified: WP Core 6.5 Compatibility
  • Add: Apply CSP to REST API
    • Please be aware, once this is switched on it will also be active for the admin area of the site.
    • Hook: wpsh_send_restapi_headers


  • Verified: Core Version 6.4 compliant
  • Remove: navigate-to directive for Content Security Policy
    • Per: no longer supported in any browser
  • Add: report-to directive for Content Security Policy
    • Please be aware, this directive currently does nothing in Firefox and Safari
  • Updated: WordPress Defaults. Compliant ONLY with the following:
    • Plugins: Gravity Forms
    • Themes: Twenty Twenty, Twenty Twenty-One, Twenty Twenty-Two, Twenty Twenty-Three
  • Updated: WordPress Core version requirements to 5.6.10


  • Fix: Autofill on Basic Auth fields
  • Add: Access-Control-Allow-Methods header
    • Default: GET, POST, HEAD
      • These are WordPress default allowable methods for the REST API
    • Hook: wpsh_acam_header
  • Add: Access-Control-Allow-Credentials
    • Default: true
    • Hook: wpsh_acac_header
  • Updated: Documentation


  • Update: Documentation
  • Fix: Autoloader not including the settings
    • NOTE I had to manually include them, but not anymore 🙂
  • Add: Directives to the COEP
    • require-corp and unsafe-none
    • NOTE require-corp will require you to configure the Cross-Origin-Resource-Policy header
  • Remove older versions


  • Fix: Deprecation notice in CLI
  • Fix: Deprecated get_page_by_title
  • Optimize: Class loading with Composers autoloader and it’s optimizations
  • Updated: JS libraries (codemirror, leaflet, etc).
  • Improved: Some JS and CSS coding.


  • Fix: PHP 8.1 deprecation notice on rtrim
  • Add: Cross-Origin-Resource-Policy header
    • Default: same-origin
    • Hook: wpsh_corp_header


  • Fix: CSP Headers being set in admin when not configured to do so
    • change in WP core send_headers or admin_init actions between Core 6.2 and Core 6.2.2
  • Add: More concise boolean checks
  • Add: Option for applying Content Security Policy headers to admin separately from primary security headers application setting
  • Add: Option for applying Feature Policy headers to admin separately from primary security headers application setting
  • Fix: Default CSP Script and Styles headers WP Defaults
  • Remove: Implementation page in settings
    • No longer a need for this
  • Update: Documentation for the above


  • Remove: document-domain from the Permissions-Policy header
    • no longer supported:
  • Remove: execution-while-not-rendered from the Permissions-Policy header
    • no longer supported:
  • Remove: execution-while-out-of-viewport from the Permissions-Policy header
    • no longer supported:
  • Remove: navigation-override from the Permissions-Policy header
    • completely removed
  • Remove: gamepad from the Permissions-Policy header
    • no longer supported:
  • Remove: The FLoC Permission Policy.
    • completely removed
  • Add: hid to the Permissions-Policy Header
  • Add: identity-credentials-get to the Permissions-Policy Header
  • Add: idle-detection to the Permissions-Policy Header
  • Add publickey-credentials-create to the Permissions-Policy Header
  • Add screen-wake-lock to the Permissions-Policy Header
  • Add serial to the Permissions-Policy Header
  • Add web-share to the Permissions-Policy Header


  • Remove: prefetch-src from the Content-Security-Policy
    • no longer supported:


  • Fix: Implementation Page
    • now accurately reflects the confguration set


  • Verify: Up to 6.3 Compliant
  • Fix: PHP 8.2 deprecation notices in field Framework


  • Test: Up to 6.2 compliant


  • Add: setting for allowing an access control origin
    • This should help out with CORS issues, especially from google


  • Fix: PHP 8 warning messages
    • Warning: Undefined array key "Permissions-Policy"
  • Fix: PHP 8 fatal error on special circumstance
    • KCP_CSPGEN_Headers::kp_get_generated_csp(): Return value must be of type array, string returned


  • Test: Up to 6.1.2 compliant
  • Fixed: Directory traversal in plugin
  • Fixed: Added check/uncheck all option for checkbox field.
  • Updated: Google Web Fonts array added new fonts.
  • Updated: JS libraries (codemirror, leaflet, etc).
  • Improved: Some JS and CSS coding.


  • Test: Up to 6.1.1 compliant
  • Remove: Server identifiers removers.
  • Rework: Broke out the front-end and admin headers to separate methods
  • Fix: Check for duplicate headers, or already set headers


  • Fix: Typo in versioning


  • Test: Up to 6.0.2 compliant
  • Tech: force PHP 7.4 minimum
  • Remove: Upgrader hook
    • this is no longer needed
  • Remove: X-XSS-Protection Header
    • was depracated in version 2.2.13. Only compatible browsers as of 7/14/2022 are Edge and and Safari
      Use CSP to mitigate XSS


  • Test: Up to 6.0 compliant
  • Test: Up to PHP 8.1 Compliant
  • New: Plugin Icon =)
  • Updated: Settings Field Framework
    • Added: Number field “min”, “max”, “step” options.
    • Updated: Google Web Fonts array added new fonts.
    • Updated: JS libraries (codemirror, leaflet, etc).
    • Improved: Group field “custom title and prefix” option (samples added).
    • Improved: Some JS and CSS coding.


  • Fix: Eval and Inline for empty directives


  • Fix: Forgot a debugging var_dump… SMH


  • Fix: Include blank directives:
    • Even if the directives are blank for the CSP, they should still be included with the ‘self’ flag
  • Test: Up to 5.9.2 compliant
  • Fix: CLI performance.
    • Was timing out, then skipping some directives on larger sites.


  • Fix: Default WP CSP headers not being set
  • Fix: Implementation now includes Default WP
  • Feature: Implement debug check to queue unminified style and scripts
  • Fix: Implementation from the CLI pulls


  • Update: Settings framework


  • Fix: OR to ||
    • forgot about it in the main plugin file
  • Update: translatable resources
    • New: /languages/security-header-generator.pot


  • Fix: Array issue
  • Fix: Strict typing issue


  • Feature: Implement post update hook to try to properly migrate existing settings to the new format
  • Update: Change exportable/importable settings names, more legible
    • While I will do my best to automate this, please note it may not be perfect… I am only human after all 😉
    • If you export your settings before updating, you can import them again after updating and the below will be
      taken care of for you.
    • Just in case it does not work 100%, please export your settings before updating to this version and
      perform a search and replace for the string to remove it:

      • Search: “kp_cspgen_”
      • Replace: null|nothing|empty
    • NOTE: If you do not export your settings I will not guarantee that you will not have to reconfigure the plugin.
      Although… I did take a backup 😉 You will need to hop into your database to grab it though, it will be in your
      options table, and it is called: wpsh_TEMP_settings. I will have this automatically removed in a future update
  • Add: Option to remove server advertising.
  • Add: Expect-CT header
    • The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
      to prevent the use of misissued certificates for that site from going unnoticed.
    • Doc:
    • Hook: wpsh_expectct_header
  • Updated: Feature Policies.
    • Removed the following: battery, layout-animations, legacy-image-formats, oversized-images, screen-wake-lock,
      unoptimized-images, unsized-media, web-share
    • The above no longer have any browser support.
    • Added: Descriptive descriptions for each directive
  • Updated: Content Security Policy
    • Added: the following fetch directives:
      • child-src, manifest-src, object-src, prefetch-src, script-src-elem,
        script-src-attr, style-src-elem, style-src-attr, worker-src, navigate-to
    • Added: Unsafe Inline and Unsafe Eval settings on each CSP directive
    • Added: Descriptive descriptions for each directive
    • Reworked: Settings for the entire section, which of course caused me to rewrite the way they are implemented.