Rating: 2 stars
When used with Elementor, you can’t edit the pages. Had to uninstall, since I don’t know what else it will break.
]]>Rating: 4 stars
I am finding this a very effective tool to help clients reach security compliance. There is one glitch I believe, however, is with the x-content-type-options. Once you enable this the only option is “nosniff”. And once enabled, there is no way to reset it. And unfortunately i believe this setting is creating errors on my site. I can’t even seem to find the line for it in my .htaccess file. Any recommendations?
]]>Rating: 5 stars
I have felt this has been excellent since the first time I used it, and absolutely no issues with it for what it is, except that there are a couple of headers that either need to be ‘marked deprecated’ or just removed. My immediate spot of these are the, Features header, P3P header and the Expect-CT (which is still around, but Mozilla recommend not using). There may be others.
There are a bunch of things that I might suggest as improvements, but this is to move the tool forward a bit. For instance:
It would be great if it could display the highlighted state of the current Apache/Nginx code and the status of the security (as per securityheaders.com form) alongside/under it, so you could see the evolution of the security header set up arrangements as you add/remove them.
Could be useful to have some in-built documentation on these things (particularly with the P3P header, those little summary items were impossible to figure out without going back and forth, but for other things like cache-control, or accept-expose-headers, some labelling could help). That said, for advanced users anyway, so perhaps less important.
Further to that, it might be useful to have an indication of what OWASP, Scott Helme, and Mozilla recommend and/or warnings for ones that are problematic for security or high risk with labels on them.
There are a few things that have odd formatting, so it is not obvious how to transpose the information for the reporting one over from how the header is laid out, since there are different ones for this. In this you have the report header that is normally used (as per report-uri site from Scott Helme) but it does not fit there. However, it has a group called ‘csp-element’ or something similar that might be clearer as to its use elsewhere). There is also the display of custom headers that are all grouped into one thing, and not spread out in a useful way if you want to review them.
Odd grouping in a couple of places, so custom headers I might have given its own block for instance, and to have two items in one and even one in one grouping is a bit pointless.
On another note, it is a shame that there is not a tool that is so effective that does this kind of thing for WordPress and just outputs the BIND9 detail for DNS resource records. A combination of this and that, with the ability to adjust PHP and Apache settings would be the most amazing tool ever. For what this does, however, is sets the foundations for a great security setup.
]]>Rating: 5 stars
Simply and useful
]]>Rating: 5 stars
Great tool. Novices, beware, the myriad of settings is a bit daunting at first so you need to dive into the subtleties of Header settings, specifically the ones that address security settings for your site.
A good resource for the broad variety of settings for Content Security Policy as well as other important Header settings such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy and Permissions Policy can be found at cheatsheetseries owasp org.
Take your time working out which settings work best for your site. Getting a good rating at securityheaders com will reward you for your efforts.
While the tool respects your initial .htaccess content it’s a good idea to backup your .htaccess before saving and applying the plugins settings.
]]>Rating: 5 stars
Been using this for well over a year now. Works like a champ with custom themes, wide variety of plugins, and page builder themes. Of course, we keep all of these updated. The settings dashboard is very user-friendly. Much easier than adding these manually. Thank you!
]]>Rating: 5 stars
I use this plugin on many of my sites, and I have never encountered fatal error errors as in the comments. I am using PHP 8.0 and below.
People who have problems should check if there are any other plugins that affect the htaccess file. This plugin takes care of the htaccess file.
Talking about the plugin, the developer did a good job. All http header codes and descriptions are available.
Respects!
]]>Rating: 2 stars
Used this for years, it has been great but it needs updating for recent WP releases, and in particular for PHP 8.1 – there is some code that relied on earlier versions of PHP being forgiving or some common coding issues, which now breaks on an up to date system.
]]>Rating: 5 stars
Enhances the security of a WordPress site.
Thanks for the developer for making this useful plugin, hopes he actively maintains this plugin.
Rating: 1 star
I’ve been usign this plugin for years, but it no longer works – causing fatal error whenever you try and enable any of the settings.
I’m seeing multiple people saying the same thing and NOBODY is responding to them.
]]>Rating: 1 star
Not sure what’s up with this, but every single save I made crashed my site.
I rolled back and tried another setting… crashed my site.
I removed the plugin, but I’ll try in on another site and see what happens.
Rating: 2 stars
So, the plugin documentation doesn’t do enough to communicate to a new user HOW it controls the HTTP response headers. It needs to talk about how it creates a .htaccess file for Apache web servers by default, and how it can be configured to modify a .user.ini file for PHP-FastCGI. It should also talk about how it produces configuration directives for NGINX web server, but you have to manually copy those directives into your web server’s config file or it won’t do anything.
Since I use NGINX, this wasn’t what we wanted, because we cannot cut Devops out of the process of adding/removing HTTP Headers. We want the business to be able to simply add a header to wordpress and be done.
I just don’t understand one thing. Why isn’t it an option to just have the HTTP Header plugin make header('{header_name}: {header_value}'); calls within PHP for each request, instead of modifying a configuration file, so that it doesn’t matter what web server you are using?
And if it’s not possible to add the headers with PHP code, then why can’t we specify the location of the nginx.conf file for the plugin to modify, like we can for the .htaccess and .user.ini files?
]]>Rating: 1 star
Try saving any setting (even without changing anything) and just get a critical error.
]]>Rating: 5 stars
Great plugin with a huge amount of settings. Despite the complexity of the setup, the developers have added comments with links to full help. It helps a lot that the comments are also translated into Russian.
After setting up the plugin, be sure to check both the functionality of the site and the speed indicators. Some settings may slow down the site loading speed.
Rating: 5 stars
It’s very useful plugin but I’d much love if developer put some UX enhancements.
Thank you
Rating: 4 stars
I love this one. Alot of security settings, but you need a lot of technical knowledge to use them.
I would like to have a temporary disable function. The day after I installed it, I locked myself out for installing plugins, so I disabled some functions, but the point is you must remember to turn them om again when you are done. A temporary disable for say max 24 hours would be an awesome addition.
]]>Rating: 5 stars
Je ne peux que vraiment conseiller ce Plugin. Magnifique, réellement facile à prendre en main.
]]>Rating: 5 stars
Excellent plugin! Thank you so much for creating a solution that makes managing CORS so much easier.
]]>Rating: 5 stars
I’ve been researching lots of information to improve my security and giving myself a headache. Then I found the HTTP Headers plugin and was able to do everything I wanted to and more in just a few minutes. Brilliant.
]]>Rating: 4 stars
Works fine, but be careful with the realm in WWW-Authenticate!
]]>Rating: 5 stars
Why don’t working in main page?
working only at inpages
Rating: 3 stars
Ce modules semble très complet, mais il faut être un Pro de la sécurité pour l’utiliser.
Si vous n’y connaissez rien et que vous voulez un module simple qui assure la sécurité, celui n’est pas pour vous.
Sans compter qu’aussi bien le module que le site qui fournit les explications d’aide ne sont disponibles qu’en anglais, ce qui rend encore plus difficile le paramétrage.
Je mets donc 3 étoiles, pour le nombre de paramètres que le module permet de gérer, car j’en enlève une pour la langue en anglais uniquement, et une autre pour la présentation et la navigation interne dans module, qui est certes claire, mais qui oblige à des aller-retour incessant entre le paramétrage d’un fonctionnalité et le retour au tableau des réglage pour passer au paramètre suivant.
J’aurai plut?t attendu un bouton un bouton qui permettent d’activer la fonctionnalité et que les réglages possibles pour le paramètre apparaissent comme dans une FAQ, avec un menu accordéon (désactivé / fermé quand la fonctionnalité est désactivée et qui s’active lorsqu’on pousse un bouton pour activer la fonctionnalité, ouvrant ainsi l’accordéon).
Mais je pense qu’il y a ce qu’il faut pour en faire le meilleur module du genre.
]]>Rating: 5 stars
Thank you for the great plugin. If we made the recommended presets for wordpress-the price would not be there! At least the settings for wordpress which is out of the box, this is really not enough!
]]>Rating: 5 stars
Amazing … Amazing …. Amazing
]]>Rating: 5 stars
I thank you for your contribution to the WordPress community. This plugin is really nice, and makes setting headers for security and other concerns easy and transparent. Bravo!
]]>Rating: 5 stars
I want to thank you for your awesome contribution of this plugin. I have made use of this and managed to improve not only security but also speed of my webpage. I now have Grade A on all points on webpagetest dot org. The last bits came in place with use of your plugin. I recommend this plugin but one needs to test with care and check how ones webpage reacts as some settings can provoke changes to integrated maps and images and so on.
Many thanks
]]>Rating: 5 stars
Helped me to add security headers to my site! Wish there were more tutorials with this plugin, it’s awesome!
]]>Rating: 5 stars
Once I changed from Apache to PHP in ADVANCED SETTINGS it worked perfectly. I spent freaking hours trying to figure out how to add x-frame options code to my site header, and this plugin did the trick.
My site uses Flatsome theme.
Donation made!!
Thank you!
]]>Rating: 5 stars
Thanks you made easy all the http config in my sites. Thankssss !
]]>Rating: 5 stars
With the help of this plugin you can manage security headers easily. Really well done.
But you need to know what you are doing and you need to read a lot of documentation about http headers to understand the meaning of every option.
With my little knowledge of http headers security i moved from grade F to D in less than 5 minutes. But i think i’ve done 10% of the work, maybe less.
I wish there was a paid service to configure this plugin.