PHP Classes

Wordpress Secure Headers Helper: Send HTTP headers that implement security measures

Recommend this page to a friend!
  Info   View files Documentation   View files View files (5)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog (2)    
Ratings Unique User Downloads Download Rankings
Not yet rated by the usersTotal: 83 All time: 10,044 This week: 571Up
Version License PHP version Categories
wp-secure-headers 1.0.3BSD License7PHP 5, Security, Blogs


This package be used to send HTTP headers that implement security measures.

It provides a class that can register a WordPress action function that will be called to set the response HTTP headers that are sent when pages generated by WordPress are served.

This class sets security related headers like:

- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Strict-Transport-Security
- Expect-CT

The class also provides a way to set other headers.

Another class allows to configure the values for setting the Content Security Policy headers.

Innovation Award
PHP Programming Innovation award nominee
March 2021
Number 2
Nowadays there are several HTTP headers that can be used to protect better Web applications and their users against harm that could be caused by certain types of security attacks.

This class can be used to send those HTTP headers in a WordPress applications. It makes it easier to develop more secure WordPress based sites and plugins.

Manuel Lemos
Picture of Carlos Artur Curvelo da Matos
  Performance   Level  
Name: Carlos Artur Curvelo da ... is available for providing paid consulting. Contact Carlos Artur Curvelo da ... .
Classes: 19 packages by
Country: Portugal Portugal
Age: 46
All time rank: 288339 in Portugal Portugal
Week rank: 47 Up2 in Portugal Portugal Up
Innovation award
Innovation award
Nominee: 13x

Winner: 2x


WP Secure Headers Helper

A simple helper class to manage HTTP Security Headers made available when a website is under any SSL certificate. Unfortunately, many plugins are used to configure SSL, but miss the more elaborated part of it - include secure headers to requests. This class aims to offer a simple interface to set up those - bringing predefined headers adequate for most WP websites, but also enabling the coder to set or alter any header - and that may include customized HTTP headers as well.


As we prefer, this library can be installed using Composer

composer require carloswph/wp-secure-headers.

Alternatively, you can just copy the class inside the src folder and use it in your plugin or theme.


The class WPH\Security\Headers inserts secure headers for Wordpress. Having that said, it already comes with some basic headers, which can be seen by using the static method wPH\Security\Headers::list(). In the future, we intend to build some chained methods to allow configuring in detail two specific headers: Content-Security-Policy and Permissions-Policy. For the moment, both can be added to class instance through the set() method.

Using with Composer

use WPH\Security\Headers;

require __DIR__ . '/vendor/autoload.php';

$sec_headers = new Headers();
$sec_headers->set('Content-Security-Policy', 'connect-src "self"'); // Add new headers to the class array property.

Content Security Policy

Since version 1.2.0, this library has an additional class, which can be passed as argument through the main class and adds the Content-Security-Policy header after being configured with dozens of chain methods. An example:

use WPH\Security\Headers;
use WPH\Security\ContentSecurityPolicy

require __DIR__ . '/vendor/autoload.php';

$csp = new ContentSecurityPolicy();

$sec_headers = new Headers($csp); // Adds the Content-Security-Policy to the headers pool, with all set parameters

Besides all methods to the configure the various Content-Security-Policy directives individually, this additional class also has a method ReportOnly(), which indicates the main class that the header shall be set as Content-Security-Policy-Report-Only instead. All documentation and info about this complex header can be found inside the class docblock comments.


  • Methods to setup and configure Permissions Policy headers
  • Some cookie managing tools

  Files folder image Files  
File Role Description
Files folder imagesrc (2 files)
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file composer.lock Data Auxiliary data
Accessible without login Plain text file Doc. Documentation

  Files folder image Files  /  src  
File Role Description
  Plain text file ContentSecurityPolicy.php Class Class source
  Plain text file Headers.php Class Class source

 Version Control Unique User Downloads Download Rankings  
This week:0
All time:10,044
This week:571Up