HTTP Security Headers Generator

Generate HTTP security header configurations for your WordPress site in .htaccess, Nginx, or PHP. Pick a preset that matches your site type or customize every header.

Preset by site type

Each preset is tuned for a specific kind of WordPress site, with security settings that don't break functionality.

Header settings

Defines which resources can load on your site. Prevents XSS attacks by controlling where scripts, styles, images, etc. can come from.

Violations are logged but not blocked. Ideal for testing without breaking your site.

Skips CSP on wp-admin and wp-login.php. The block editor needs very permissive directives that would weaken security. If you use the classic editor, you can turn this off.

Important for WordPress:

  • A very strict CSP can break plugins and themes
  • Page builders (Elementor, Divi) need 'unsafe-inline'
  • The block editor needs the admin area excluded to work
  • Start in report-only mode and tighten as needed

Prevents clickjacking attacks by blocking your site from being loaded in iframes on other domains.

frame-ancestors is the modern replacement for X-Frame-Options inside CSP. Using both gives you maximum compatibility.

Stops browsers from "guessing" MIME types. Prevents a text file from being executed as malicious JavaScript.

Forces browsers to always use HTTPS. Only enable this if you already have SSL/HTTPS properly configured.

Only enable this if all your subdomains have HTTPS.

Hard to revert. Only use if you're 100% sure.

Controls how much information is sent in the 'Referer' header when someone clicks a link on your site.

Controls which browser features your site can use. Blocks access to camera, microphone, geolocation, etc.

Block access to:

Turns on the built-in anti-XSS filter in older browsers. Modern browsers no longer use it.

Controls which resources from other origins can be loaded. Can break external images and scripts.

Isolates your site in its own browsing context. Useful against Spectre-type attacks.

Controls who can load resources from your site. Stops other sites from using your images, scripts, etc.

Generated configuration

# Fill in the form and click Generate to see the code

Want to know which headers you're missing? Run the WordPress security check.

You might also like

Generator

wp-config.php Generator

Configure all wp-config.php parameters with advanced debug, performance, and security options.

 Generator

.htaccess Generator

Create custom .htaccess rules with security, redirects, and caching for Apache.

 Generator

SQL Query Generator

Generate useful SQL queries for WordPress and WooCommerce without writing code.