[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKc00QFMtVYtDOaYM86HEcmkmtVbb3Ecy7VWL-OBDozc":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":86,"crawl_stats":37,"alternatives":92,"analysis":189,"fingerprints":773},"http-headers","HTTP Headers","1.19.2","Dimitar Ivanov","https:\u002F\u002Fprofiles.wordpress.org\u002Fzinoui\u002F","\u003Cp>HTTP Headers gives your control over the http headers returned by your blog or website.\u003C\u002Fp>\n\u003Cp>Headers supported by HTTP Headers includes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Access-Control-Allow-Origin\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Credentials\u003C\u002Fli>\n\u003Cli>Access-Control-Max-Age\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Methods\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Headers\u003C\u002Fli>\n\u003Cli>Access-Control-Expose-Headers\u003C\u002Fli>\n\u003Cli>Age \u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cache-Control\u003C\u002Fli>\n\u003Cli>Clear-Site-Data\u003C\u002Fli>\n\u003Cli>Connection\u003C\u002Fli>\n\u003Cli>Content-Encoding\u003C\u002Fli>\n\u003Cli>Content-Type\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Resource-Policy\u003C\u002Fli>\n\u003Cli>Expect-CT\u003C\u002Fli>\n\u003Cli>Expires\u003C\u002Fli>\n\u003Cli>Feature-Policy\u003C\u002Fli>\n\u003Cli>NEL\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003Cli>Pragma\u003C\u002Fli>\n\u003Cli>P3P\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>Report-To\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Timing-Allow-Origin\u003C\u002Fli>\n\u003Cli>Vary\u003C\u002Fli>\n\u003Cli>WWW-Authenticate\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-DNS-Prefetch-Control\u003C\u002Fli>\n\u003Cli>X-Download-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-Permitted-Cross-Domain-Policies\u003C\u002Fli>\n\u003Cli>X-Powered-By\u003C\u002Fli>\n\u003Cli>X-Robots-Tag\u003C\u002Fli>\n\u003Cli>X-UA-Compatible\u003C\u002Fli>\n\u003Cli>X-XSS-Protection\u003C\u002Fli>\n\u003C\u002Ful>\n","HTTP Headers adds CORS & security HTTP headers to your website.",50000,715994,86,70,"2024-12-22T11:49:00.000Z","6.7.5","3.2","5.3",[20,21,22,4,23],"cors-headers","csp-header","custom-headers","security-headers","https:\u002F\u002Fgithub.com\u002Friverside\u002Fhttp-headers","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhttp-headers.1.19.2.zip",91,4,0,"2023-07-13 00:00:00","2026-03-15T15:16:48.613Z",[32,48,60,74],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2023-37978","http-headers-server-side-request-forgery","HTTP Headers \u003C= 1.18.11 - Server-Side Request Forgery","The HTTP Headers plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.18.11 via the ajax-inspect.php file. This can allow authenticated attackers with admin access to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",null,"\u003C=1.18.11","1.19.0","medium",5.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2024-01-22 19:56:02",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F69971673-e317-452c-8c54-97de006a214f?source=api-prod",194,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":53,"cvss_vector":54,"vuln_type":55,"published_date":56,"updated_date":44,"references":57,"days_to_patch":59},"CVE-2023-37874","http-headers-authenticated-administrator-stored-cross-site-scripting","HTTP Headers \u003C= 1.18.11 - Authenticated (Administrator+) Stored Cross-Site Scripting","The HTTP Headers for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.18.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2023-07-10 00:00:00",[58],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffed4dd54-7a7e-483b-a623-3cf3392572b8?source=api-prod",197,{"id":61,"url_slug":62,"title":63,"description":64,"plugin_slug":4,"theme_slug":37,"affected_versions":65,"patched_in_version":66,"severity":40,"cvss_score":67,"cvss_vector":68,"vuln_type":69,"published_date":70,"updated_date":44,"references":71,"days_to_patch":73},"CVE-2023-1208","http-headers-authenticatedadministrator-remote-code-execution","HTTP Headers \u003C= 1.18.10 - Authenticated(Administrator+) Remote Code Execution","The HTTP Headers plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.18.10 via the 'http_headers_pre_update_option' function. This allows authenticated attackers with administrator-level permissions to write files and execute code on the server. The issue was partially fixed in 1.18.10 but not fully fixed until 1.18.11.","\u003C=1.18.10","1.18.11",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2023-06-19 00:00:00",[72],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F75b84eae-6ff2-49af-a420-2aeef50224e3?source=api-prod",218,{"id":75,"url_slug":76,"title":77,"description":78,"plugin_slug":4,"theme_slug":37,"affected_versions":79,"patched_in_version":80,"severity":40,"cvss_score":67,"cvss_vector":68,"vuln_type":81,"published_date":82,"updated_date":44,"references":83,"days_to_patch":85},"CVE-2023-1207","http-headers-authenticatedadministrator-sql-injection","HTTP Headers \u003C= 1.18.8 - Authenticated(Administrator+) SQL Injection","The HTTP Headers plugin for WordPress is vulnerable to SQL Injection via the 'http_headers_post_import' and 'http_headers_post_export' functions in versions up to, and including, 1.18.8 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers with administrator-level permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note that 1.18.8 provided a partial patch by restricting this capability to Super Administrators.","\u003C=1.18.8","1.18.9","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2023-04-24 00:00:00",[84],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8ea6b79c-2a09-4a6e-9b4b-a81f96e3bc12?source=api-prod",274,{"slug":87,"display_name":7,"profile_url":8,"plugin_count":88,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":89,"trust_score":90,"computed_at":91},"zinoui",1,221,73,"2026-04-04T02:09:42.207Z",[93,113,134,152,171],{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":101,"downloaded":102,"rating":28,"num_ratings":28,"last_updated":103,"tested_up_to":104,"requires_at_least":105,"requires_php":103,"tags":106,"homepage":109,"download_link":110,"security_score":111,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":112},"strict-security-headers","Strict Security Headers","0.1.0","Justin Kopepasah","https:\u002F\u002Fprofiles.wordpress.org\u002Fkopepasah\u002F","\u003Cp>Strict Security Headers is a straightforward and lightweight plugin designed to enhance the security of your WordPress website by implementing modern security headers. Simply activate the plugin, and the headers are automatically added, there’s absolutely no configuration needed!\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Simple and Lightweight:\u003C\u002Fstrong> No configuration needed, just activate the plugin to enhance your website security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Security:\u003C\u002Fstrong> Helps in protecting your website against various types of attacks and vulnerabilities.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No Performance Impact:\u003C\u002Fstrong> Strict Security Headers is developed to have minimal impact on your website’s performance.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Additional Notes\u003C\u002Fh3>\n\u003Cp>For any issues, queries, or enhancements, please refer to the plugin support forum. Regular updates and enhancements will be rolled out to ensure optimum functionality and security of the plugin.\u003C\u002Fp>\n\u003Cp>Please consider sponsoring development to support the continued development and maintenance of this plugin: https:\u002F\u002Fgithub.com\u002Fsponsors\u002Fkopepasah\u003C\u002Fp>\n","Easily enable modern security headers for your website with the Strict Security Headers plugin, with no configuration required.",10,753,"","6.3.8","5.5",[107,4,108,23],"headers","security","https:\u002F\u002Fdualfocus.dev\u002Fproducts\u002Fstrict-security-headers\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstrict-security-headers.0.1.0.zip",100,"2026-03-15T10:48:56.248Z",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":121,"downloaded":122,"rating":13,"num_ratings":123,"last_updated":124,"tested_up_to":125,"requires_at_least":126,"requires_php":127,"tags":128,"homepage":103,"download_link":132,"security_score":133,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"csp-manager","Content Security Policy Manager","1.2.1","Patrick Sletvold","https:\u002F\u002Fprofiles.wordpress.org\u002F16patsle\u002F","\u003Cp>\u003Cstrong>Content Security Policy Manager\u003C\u002Fstrong> is a WordPress plugin that allows you to easily configure \u003Ca href=\"https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FHTTP\u002FCSP\" rel=\"nofollow ugc\">Content Security Policy headers\u003C\u002Fa> for your site. You can have different CSP headers for the admin interface, the frontend for logged in users, and the frontend for regular visitors. The CSP directives can be individually enabled, and each policy can be set to enforce, report or be disabled.\u003C\u002Fp>\n\u003Cp>Please note that this plugin offers limited help in figuring out what the contents of the policy should be. It only lets you configure the CSP in a easy to use interface.\u003C\u002Fp>\n","Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors",2000,33739,6,"2022-08-09T17:33:00.000Z","6.1.10","4.6","7.2",[129,130,108,23,131],"content-security-policy","csp","xss","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-manager.1.2.1.zip",85,{"slug":135,"name":136,"version":137,"author":138,"author_profile":139,"description":140,"short_description":141,"active_installs":142,"downloaded":143,"rating":111,"num_ratings":144,"last_updated":145,"tested_up_to":146,"requires_at_least":126,"requires_php":147,"tags":148,"homepage":150,"download_link":151,"security_score":111,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"gnu-terry-pratchett","GNU Terry Pratchett","0.4.1","Nick C","https:\u002F\u002Fprofiles.wordpress.org\u002Fmodernnerd\u002F","\u003Cp>The GNU Terry Pratchett plugin transmits an “X-Clacks-Overhead” header reading, “GNU Terry Pratchett” so that Terry’s name is whispered forevermore in the Internet’s “overhead”.\u003C\u002Fp>\n\u003Cp>In Pratchett’s “Going Postal”, workers who die in the line of duty have their names transmitted up and down the Discworld’s telegraph system as a tribute.\u003C\u002Fp>\n\u003Cp>This plugin makes it easy for WordPress users to do the same for Terry Pratchett, without having to modify their server configuration.\u003C\u002Fp>\n\u003Ch4>The GNU Terry Pratchett headers\u003C\u002Fh4>\n\u003Cp>The plugin adds the GNU Terry Pratchett header in two ways:\u003C\u002Fp>\n\u003Col>\n\u003Cli>As an HTTP header (if you don’t use a WordPress page caching plugin).\u003C\u002Fli>\n\u003Cli>As a meta tag in your HTML with the http-equiv attribute.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Settings\u003C\u002Fh4>\n\u003Cp>The text sent in HTTP headers and meta tags is “GNU Terry Pratchett” by default.\u003C\u002Fp>\n\u003Cp>Change this by visiting Settings \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> GNU Terry Pratchett in your WordPress admin area and editing the “X-Clacks-Overhead header” field.\u003C\u002Fp>\n\u003Cp>This option lets you honor other people you would like to remember by making them a small part of your site’s content forever.\u003C\u002Fp>\n\u003Ch4>Checking the HTTP header is sent\u003C\u002Fh4>\n\u003Cp>There are several ways to check that the HTTP header is appearing for your site:\u003C\u002Fp>\n\u003Col>\n\u003Cli>With your terminal (\u003Ccode>curl -I example.com\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>With Chrome’s Network tab.\u003C\u002Fli>\n\u003Cli>With the \u003Ca href=\"https:\u002F\u002Fchrome.google.com\u002Fwebstore\u002Fdetail\u002Fclacks-overhead-gnu-terry\u002Flnndfmobdoobjfcalkmfojmanbeoegab\" rel=\"nofollow ugc\">Clacks Overhead\u003C\u002Fa> Chrome plugin or the \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fgnu_terry_pratchett\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett Firefox extension\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Using the \u003Ca href=\"http:\u002F\u002Ftools.seobook.com\u002Fserver-header-checker\u002F\" rel=\"nofollow ugc\">Server Header Checker\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Note that the HTTP header is not sent if you use a page caching plugin. To send the HTTP header and continue to use a caching plugin, add the header at the server level. See http:\u002F\u002Fwww.gnuterrypratchett.com\u002F for options.\u003C\u002Fp>\n\u003Ch4>Checking the meta tag is added\u003C\u002Fh4>\n\u003Cp>You can check that the meta tag is visible by viewing your site’s HTML source and searching for “GNU Terry Pratchett”.\u003C\u002Fp>\n\u003Cp>The \u003Ca href=\"https:\u002F\u002Fchrome.google.com\u002Fwebstore\u002Fdetail\u002Fclacks-overhead-gnu-terry\u002Flnndfmobdoobjfcalkmfojmanbeoegab\" rel=\"nofollow ugc\">Clacks Overhead plugin\u003C\u002Fa> for Chrome and the \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fgnu_terry_pratchett\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett extension\u003C\u002Fa> for Firefox both light up when they detect the HTML meta tag or HTTP header.\u003C\u002Fp>\n\u003Ch4>Credits and contributions\u003C\u002Fh4>\n\u003Cp>Inspired by \u003Ca href=\"http:\u002F\u002Fwww.reddit.com\u002Fr\u002Fbestof\u002Fcomments\u002F2yyop7\u002Frdiscworld_redditors_with_web_servers_start\u002F\" rel=\"nofollow ugc\">this reddit post\u003C\u002Fa>, \u003Ca href=\"http:\u002F\u002Fboingboing.net\u002F2015\u002F03\u002F15\u002Fsending-terry-pratchett-home-w.html\" rel=\"nofollow ugc\">boingboing’s report\u003C\u002Fa>, and the \u003Ca href=\"http:\u002F\u002Fwww.gnuterrypratchett.com\u002F\" rel=\"nofollow ugc\">GNU Terry Pratchett\u003C\u002Fa> website.\u003C\u002Fp>\n\u003Cp>Contributions welcome at the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnickcernis\u002Fgnu-terry-pratchett\" rel=\"nofollow ugc\">GitHub repo\u003C\u002Fa>.\u003C\u002Fp>\n","Add an X-Clacks-Overhead header with “GNU Terry Pratchett” to all non-admin pages.",1000,18229,13,"2025-12-02T20:30:00.000Z","6.9.4","5.6",[4,149],"terry-pratchett","https:\u002F\u002Fgithub.com\u002Fnickcernis\u002Fgnu-terry-pratchett","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgnu-terry-pratchett.0.4.1.zip",{"slug":153,"name":154,"version":155,"author":156,"author_profile":157,"description":158,"short_description":159,"active_installs":160,"downloaded":161,"rating":111,"num_ratings":162,"last_updated":163,"tested_up_to":146,"requires_at_least":164,"requires_php":165,"tags":166,"homepage":103,"download_link":170,"security_score":111,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"security-header","HTTP Security Header","3.1","MOHIT GOYAL","https:\u002F\u002Fprofiles.wordpress.org\u002Fmohitgoyal1108\u002F","\u003Cp>\u003Cstrong>HTTP Security Header\u003C\u002Fstrong> helps protect your WordPress site by adding critical HTTP headers to each response — with no code required. These headers provide additional layers of protection against attacks such as cross-site scripting (XSS), clickjacking, content injection, and resource leaks.\u003C\u002Fp>\n\u003Cp>This plugin offers a modern, responsive admin dashboard with validation, fallback safety, and full control over each header’s default or custom value.\u003C\u002Fp>\n\u003Ch3>🔎 Scan Your Website Security Headers\u003C\u002Fh3>\n\u003Cp>Before configuring headers, instantly check your website’s current security score using our online header scanner:\u003C\u002Fp>\n\u003Cp>👉 \u003Ca href=\"https:\u002F\u002Finspiredmonks.com\u002Fhttp-security-header-scanner\u002F\" rel=\"nofollow ugc\">Scan Your Website Security Headers\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>✔ Enter your website URL\u003Cbr \u002F>\n✔ Get instant Security Grade (A+ to F)\u003Cbr \u002F>\n✔ See which headers are Present or Missing\u003Cbr \u002F>\n✔ Get clear, actionable recommendations\u003Cbr \u002F>\n✔ Easily fix them using this plugin\u003C\u002Fp>\n\u003Cp>Used by thousands of websites to enhance security and protect user data.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features Include:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Visual toggles for enabling\u002Fdisabling headers\u003Cbr \u002F>\n– Option to use \u003Cstrong>default or custom header values\u003C\u002Fstrong>\u003Cbr \u002F>\n– Secure fallback if a header is misconfigured\u003Cbr \u002F>\n– Integrated \u003Cstrong>header validation\u003C\u002Fstrong>\u003Cbr \u002F>\n– Support for all major browser-supported headers\u003Cbr \u002F>\n– Nonce-based saving and admin notices\u003Cbr \u002F>\n– WP Multisite compatible\u003Cbr \u002F>\n– “Disable All” and “Reset to Important Headers” actions\u003Cbr \u002F>\n– Per-header input validation with real-time error fallback\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Supported Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Strict-Transport-Security (HSTS)\u003Cbr \u002F>\n* X-Frame-Options\u003Cbr \u002F>\n* X-Content-Type-Options\u003Cbr \u002F>\n* Referrer-Policy\u003Cbr \u002F>\n* Content-Security-Policy\u003Cbr \u002F>\n* Permissions-Policy\u003Cbr \u002F>\n* X-XSS-Protection\u003Cbr \u002F>\n* X-Permitted-Cross-Domain-Policies\u003Cbr \u002F>\n* Expect-CT\u003Cbr \u002F>\n* Cross-Origin-Opener-Policy (COOP)\u003Cbr \u002F>\n* Cross-Origin-Resource-Policy (CORP)\u003Cbr \u002F>\n* Cross-Origin-Embedder-Policy (COEP)\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Lightweight and performance-focused  \u003C\u002Fli>\n\u003Cli>No front-end impact  \u003C\u002Fli>\n\u003Cli>Choose default or custom header values  \u003C\u002Fli>\n\u003Cli>Secure validation and auto-fallbacks  \u003C\u002Fli>\n\u003Cli>Seamless plugin compatibility (including WP Rocket)  \u003C\u002Fli>\n\u003Cli>Fully translation-ready and i18n-compliant  \u003C\u002Fli>\n\u003Cli>Nonce-protected admin save actions  \u003C\u002Fli>\n\u003Cli>Optional reset-to-default support  \u003C\u002Fli>\n\u003Cli>Reset or disable all headers with one click\u003C\u002Fli>\n\u003C\u002Ful>\n","Add and manage essential HTTP security headers with ease. Protect your WordPress site from XSS, clickjacking, and other common vulnerabilities.",800,4254,3,"2025-12-30T17:44:00.000Z","5.0","7.0",[167,129,168,23,169],"clickjacking","http-security-header","wordpress-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-header.3.1.zip",{"slug":172,"name":173,"version":174,"author":175,"author_profile":176,"description":177,"short_description":178,"active_installs":179,"downloaded":180,"rating":181,"num_ratings":182,"last_updated":183,"tested_up_to":184,"requires_at_least":164,"requires_php":165,"tags":185,"homepage":187,"download_link":188,"security_score":133,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"firstpage-sg-security-headers","Security Headers","1.0.0","Joseph Mendez","https:\u002F\u002Fprofiles.wordpress.org\u002Fjoshme21\u002F","\u003Cp>Security headers are directives used by web applications to configure security defenses.\u003C\u002Fp>\n\u003Ch3>Why security headers important?\u003C\u002Fh3>\n\u003Cp>When auditing websites, security headers are frequently forgotten.\u003C\u002Fp>\n\u003Cp>Although some may argue that website security is unrelated to SEO, it does become so when a site is compromised and search traffic completely disappears.\u003C\u002Fp>\n\u003Cp>Everyone who publishes content online should pay special attention to security headers.\u003C\u002Fp>\n\u003Cp>Getting hacked is not good. You lose traffic, customers and it’s a pain to resolve all the issues.\u003C\u002Fp>\n\u003Cp>But good thing you’re smart and have searched for this plugin :).\u003C\u002Fp>\n","Security headers are directives used by web applications to configure security defenses.",700,4275,60,2,"2022-09-24T01:34:00.000Z","6.0.11",[23,186],"seo-security-headers","https:\u002F\u002Fwww.firstpagedigital.sg\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffirstpage-sg-security-headers.1.0.0.zip",{"attackSurface":190,"codeSignals":244,"taintFlows":714,"riskAssessment":761,"analyzedAt":772},{"hooks":191,"ajaxHandlers":234,"restRoutes":241,"shortcodes":242,"cronEvents":243,"entryPointCount":88,"unprotectedCount":28},[192,198,202,206,211,215,218,222,226,230],{"type":193,"name":194,"callback":195,"file":196,"line":197},"action","wp_logout","http_headers_logout","http-headers.php",1602,{"type":193,"name":199,"callback":200,"file":196,"line":201},"admin_menu","http_headers_admin_add_page",1605,{"type":193,"name":203,"callback":204,"file":196,"line":205},"admin_init","http_headers_admin",1606,{"type":207,"name":208,"callback":209,"priority":101,"file":196,"line":210},"filter","pre_update_option","http_headers_pre_update_option",1607,{"type":193,"name":212,"callback":213,"file":196,"line":214},"added_option","http_headers_option",1608,{"type":193,"name":216,"callback":213,"file":196,"line":217},"updated_option",1609,{"type":193,"name":219,"callback":220,"file":196,"line":221},"admin_enqueue_scripts","http_headers_enqueue",1610,{"type":193,"name":223,"callback":224,"file":196,"line":225},"after_setup_theme","http_headers_after_setup_theme",1611,{"type":193,"name":227,"callback":228,"file":196,"line":229},"plugins_loaded","http_headers_text_domain",1612,{"type":193,"name":231,"callback":232,"file":196,"line":233},"send_headers","http_headers",1616,[235],{"action":236,"nopriv":237,"callback":238,"hasNonce":239,"hasCapCheck":239,"file":196,"line":240},"inspect",false,"http_headers_ajax_inspect",true,1613,[],[],[],{"dangerousFunctions":245,"sqlUsage":246,"outputEscaping":248,"fileOperations":162,"externalRequests":28,"nonceChecks":712,"capabilityChecks":88,"bundledLibraries":713},[],{"prepared":28,"raw":28,"locations":247},[],{"escaped":249,"rawEcho":250,"locations":251},68,312,[252,256,257,259,260,262,263,265,266,268,269,271,272,274,275,277,278,280,281,283,284,286,287,290,291,293,294,296,298,299,301,302,303,305,307,308,310,312,313,315,317,318,321,323,325,327,328,329,331,333,334,336,337,338,339,341,342,345,347,349,351,353,355,356,358,359,361,362,364,365,366,367,369,370,372,373,375,376,378,379,381,383,384,386,387,388,390,393,394,396,398,400,401,403,404,405,406,408,409,411,412,414,415,416,417,420,421,423,424,426,428,430,431,433,434,437,438,439,440,441,443,444,446,447,449,450,452,453,454,455,458,460,461,463,465,467,468,470,471,472,473,474,476,477,479,480,482,483,484,485,486,489,490,491,492,493,494,495,497,499,501,503,505,506,507,509,511,512,513,515,516,517,519,521,523,525,527,528,529,530,531,532,534,536,538,540,542,543,544,545,548,549,550,551,552,553,554,555,556,557,559,560,561,562,564,565,567,568,570,571,573,574,576,578,580,582,583,585,587,588,589,590,592,593,594,596,597,598,599,600,601,602,603,604,605,606,608,609,610,611,613,614,616,618,620,622,623,625,627,629,631,633,634,635,636,638,639,640,641,643,644,645,646,648,649,650,651,653,654,655,656,658,659,660,661,663,664,666,667,669,670,671,672,674,675,676,677,679,680,681,682,684,685,686,687,688,690,691,693,695,697,698,699,701,702,704,705,706,707,709,710,711],{"file":253,"line":254,"context":255},"views\\access-control-allow-credentials.php",21,"raw output",{"file":253,"line":254,"context":255},{"file":253,"line":258,"context":255},34,{"file":253,"line":258,"context":255},{"file":261,"line":254,"context":255},"views\\access-control-allow-headers.php",{"file":261,"line":254,"context":255},{"file":261,"line":264,"context":255},45,{"file":261,"line":264,"context":255},{"file":267,"line":254,"context":255},"views\\access-control-allow-methods.php",{"file":267,"line":254,"context":255},{"file":267,"line":270,"context":255},38,{"file":267,"line":270,"context":255},{"file":273,"line":254,"context":255},"views\\access-control-allow-origin.php",{"file":273,"line":254,"context":255},{"file":273,"line":276,"context":255},48,{"file":273,"line":276,"context":255},{"file":279,"line":254,"context":255},"views\\access-control-expose-headers.php",{"file":279,"line":254,"context":255},{"file":279,"line":282,"context":255},49,{"file":279,"line":282,"context":255},{"file":285,"line":254,"context":255},"views\\access-control-max-age.php",{"file":285,"line":254,"context":255},{"file":288,"line":289,"context":255},"views\\advanced.php",40,{"file":288,"line":276,"context":255},{"file":288,"line":292,"context":255},65,{"file":288,"line":292,"context":255},{"file":288,"line":295,"context":255},67,{"file":288,"line":297,"context":255},75,{"file":288,"line":297,"context":255},{"file":288,"line":300,"context":255},77,{"file":288,"line":133,"context":255},{"file":288,"line":133,"context":255},{"file":288,"line":304,"context":255},87,{"file":288,"line":306,"context":255},95,{"file":288,"line":306,"context":255},{"file":288,"line":309,"context":255},97,{"file":288,"line":311,"context":255},134,{"file":288,"line":311,"context":255},{"file":288,"line":314,"context":255},136,{"file":316,"line":254,"context":255},"views\\age.php",{"file":316,"line":254,"context":255},{"file":319,"line":320,"context":255},"views\\ajax-inspect.php",35,{"file":319,"line":322,"context":255},81,{"file":319,"line":324,"context":255},82,{"file":319,"line":326,"context":255},123,{"file":319,"line":326,"context":255},{"file":319,"line":326,"context":255},{"file":319,"line":330,"context":255},124,{"file":332,"line":254,"context":255},"views\\cache-control.php",{"file":332,"line":254,"context":255},{"file":332,"line":335,"context":255},56,{"file":332,"line":335,"context":255},{"file":332,"line":181,"context":255},{"file":332,"line":181,"context":255},{"file":332,"line":340,"context":255},63,{"file":332,"line":340,"context":255},{"file":343,"line":344,"context":255},"views\\category.php",236,{"file":343,"line":346,"context":255},237,{"file":343,"line":348,"context":255},238,{"file":343,"line":350,"context":255},239,{"file":343,"line":352,"context":255},240,{"file":354,"line":254,"context":255},"views\\clear-site-data.php",{"file":354,"line":254,"context":255},{"file":354,"line":357,"context":255},50,{"file":354,"line":357,"context":255},{"file":354,"line":360,"context":255},54,{"file":354,"line":360,"context":255},{"file":363,"line":254,"context":255},"views\\connection.php",{"file":363,"line":254,"context":255},{"file":363,"line":258,"context":255},{"file":363,"line":258,"context":255},{"file":368,"line":254,"context":255},"views\\content-encoding.php",{"file":368,"line":254,"context":255},{"file":368,"line":371,"context":255},96,{"file":368,"line":371,"context":255},{"file":368,"line":374,"context":255},115,{"file":368,"line":374,"context":255},{"file":377,"line":270,"context":255},"views\\content-security-policy.php",{"file":377,"line":270,"context":255},{"file":377,"line":380,"context":255},89,{"file":382,"line":254,"context":255},"views\\content-type.php",{"file":382,"line":254,"context":255},{"file":382,"line":385,"context":255},59,{"file":382,"line":181,"context":255},{"file":382,"line":340,"context":255},{"file":382,"line":389,"context":255},64,{"file":391,"line":392,"context":255},"views\\cookie-security.php",23,{"file":391,"line":392,"context":255},{"file":391,"line":395,"context":255},41,{"file":391,"line":397,"context":255},42,{"file":391,"line":399,"context":255},55,{"file":391,"line":399,"context":255},{"file":402,"line":254,"context":255},"views\\cross-origin-embedder-policy.php",{"file":402,"line":254,"context":255},{"file":402,"line":258,"context":255},{"file":402,"line":258,"context":255},{"file":407,"line":392,"context":255},"views\\cross-origin-opener-policy.php",{"file":407,"line":392,"context":255},{"file":407,"line":410,"context":255},36,{"file":407,"line":410,"context":255},{"file":413,"line":254,"context":255},"views\\cross-origin-resource-policy.php",{"file":413,"line":254,"context":255},{"file":413,"line":258,"context":255},{"file":413,"line":258,"context":255},{"file":418,"line":419,"context":255},"views\\custom-headers.php",26,{"file":418,"line":419,"context":255},{"file":422,"line":419,"context":255},"views\\dashboard.php",{"file":422,"line":419,"context":255},{"file":422,"line":425,"context":255},28,{"file":422,"line":427,"context":255},29,{"file":429,"line":254,"context":255},"views\\expect-ct.php",{"file":429,"line":254,"context":255},{"file":429,"line":432,"context":255},37,{"file":429,"line":432,"context":255},{"file":435,"line":436,"context":255},"views\\expires.php",25,{"file":435,"line":436,"context":255},{"file":435,"line":13,"context":255},{"file":435,"line":304,"context":255},{"file":435,"line":380,"context":255},{"file":435,"line":442,"context":255},93,{"file":435,"line":442,"context":255},{"file":445,"line":254,"context":255},"views\\feature-policy.php",{"file":445,"line":254,"context":255},{"file":445,"line":448,"context":255},80,{"file":445,"line":324,"context":255},{"file":445,"line":451,"context":255},84,{"file":445,"line":380,"context":255},{"file":445,"line":380,"context":255},{"file":445,"line":442,"context":255},{"file":456,"line":457,"context":255},"views\\includes\\breadcrumbs.inc.php",7,{"file":456,"line":459,"context":255},15,{"file":456,"line":459,"context":255},{"file":456,"line":462,"context":255},16,{"file":464,"line":182,"context":255},"views\\includes\\csp-inc.inc.php",{"file":466,"line":254,"context":255},"views\\includes\\csp-sandbox.inc.php",{"file":466,"line":254,"context":255},{"file":466,"line":469,"context":255},22,{"file":466,"line":469,"context":255},{"file":466,"line":436,"context":255},{"file":466,"line":436,"context":255},{"file":466,"line":436,"context":255},{"file":475,"line":392,"context":255},"views\\includes\\csp-src.inc.php",{"file":475,"line":392,"context":255},{"file":475,"line":478,"context":255},24,{"file":475,"line":478,"context":255},{"file":475,"line":481,"context":255},27,{"file":475,"line":481,"context":255},{"file":475,"line":481,"context":255},{"file":475,"line":324,"context":255},{"file":475,"line":133,"context":255},{"file":487,"line":488,"context":255},"views\\includes\\csp-sri.inc.php",12,{"file":487,"line":488,"context":255},{"file":487,"line":144,"context":255},{"file":487,"line":144,"context":255},{"file":487,"line":462,"context":255},{"file":487,"line":462,"context":255},{"file":487,"line":462,"context":255},{"file":496,"line":88,"context":255},"views\\includes\\csp-text.inc.php",{"file":498,"line":462,"context":255},"views\\index.php",{"file":498,"line":500,"context":255},18,{"file":498,"line":502,"context":255},31,{"file":498,"line":504,"context":255},33,{"file":498,"line":395,"context":255},{"file":498,"line":397,"context":255},{"file":498,"line":508,"context":255},43,{"file":510,"line":488,"context":255},"views\\inspect.php",{"file":510,"line":500,"context":255},{"file":510,"line":500,"context":255},{"file":514,"line":144,"context":255},"views\\manual.php",{"file":514,"line":500,"context":255},{"file":514,"line":436,"context":255},{"file":514,"line":518,"context":255},32,{"file":514,"line":520,"context":255},39,{"file":514,"line":522,"context":255},46,{"file":514,"line":524,"context":255},51,{"file":514,"line":526,"context":255},58,{"file":514,"line":181,"context":255},{"file":514,"line":14,"context":255},{"file":514,"line":300,"context":255},{"file":514,"line":451,"context":255},{"file":514,"line":26,"context":255},{"file":514,"line":533,"context":255},98,{"file":514,"line":535,"context":255},105,{"file":514,"line":537,"context":255},114,{"file":514,"line":539,"context":255},116,{"file":541,"line":254,"context":255},"views\\nel.php",{"file":541,"line":254,"context":255},{"file":541,"line":524,"context":255},{"file":541,"line":524,"context":255},{"file":546,"line":547,"context":255},"views\\p3p.php",17,{"file":546,"line":547,"context":255},{"file":546,"line":264,"context":255},{"file":546,"line":264,"context":255},{"file":546,"line":385,"context":255},{"file":546,"line":385,"context":255},{"file":546,"line":90,"context":255},{"file":546,"line":90,"context":255},{"file":546,"line":304,"context":255},{"file":546,"line":304,"context":255},{"file":546,"line":558,"context":255},101,{"file":546,"line":558,"context":255},{"file":546,"line":374,"context":255},{"file":546,"line":374,"context":255},{"file":546,"line":563,"context":255},129,{"file":546,"line":563,"context":255},{"file":546,"line":566,"context":255},143,{"file":546,"line":566,"context":255},{"file":546,"line":569,"context":255},157,{"file":546,"line":569,"context":255},{"file":572,"line":254,"context":255},"views\\permissions-policy.php",{"file":572,"line":254,"context":255},{"file":572,"line":575,"context":255},90,{"file":572,"line":577,"context":255},92,{"file":572,"line":579,"context":255},94,{"file":572,"line":581,"context":255},99,{"file":572,"line":581,"context":255},{"file":572,"line":584,"context":255},103,{"file":586,"line":254,"context":255},"views\\pragma.php",{"file":586,"line":254,"context":255},{"file":586,"line":258,"context":255},{"file":586,"line":258,"context":255},{"file":591,"line":254,"context":255},"views\\referrer-policy.php",{"file":591,"line":254,"context":255},{"file":591,"line":258,"context":255},{"file":595,"line":547,"context":255},"views\\report-to.php",{"file":595,"line":547,"context":255},{"file":595,"line":451,"context":255},{"file":595,"line":380,"context":255},{"file":595,"line":380,"context":255},{"file":595,"line":575,"context":255},{"file":595,"line":575,"context":255},{"file":595,"line":442,"context":255},{"file":595,"line":442,"context":255},{"file":595,"line":309,"context":255},{"file":595,"line":309,"context":255},{"file":595,"line":607,"context":255},102,{"file":595,"line":607,"context":255},{"file":595,"line":584,"context":255},{"file":595,"line":584,"context":255},{"file":595,"line":612,"context":255},104,{"file":595,"line":612,"context":255},{"file":595,"line":615,"context":255},122,{"file":595,"line":617,"context":255},140,{"file":595,"line":619,"context":255},141,{"file":595,"line":621,"context":255},144,{"file":595,"line":621,"context":255},{"file":595,"line":624,"context":255},148,{"file":595,"line":626,"context":255},150,{"file":595,"line":628,"context":255},151,{"file":595,"line":630,"context":255},152,{"file":632,"line":254,"context":255},"views\\strict-transport-security.php",{"file":632,"line":254,"context":255},{"file":632,"line":432,"context":255},{"file":632,"line":432,"context":255},{"file":637,"line":254,"context":255},"views\\timing-allow-origin.php",{"file":637,"line":254,"context":255},{"file":637,"line":258,"context":255},{"file":637,"line":258,"context":255},{"file":642,"line":254,"context":255},"views\\vary.php",{"file":642,"line":254,"context":255},{"file":642,"line":508,"context":255},{"file":642,"line":508,"context":255},{"file":647,"line":254,"context":255},"views\\www-authenticate.php",{"file":647,"line":254,"context":255},{"file":647,"line":289,"context":255},{"file":647,"line":289,"context":255},{"file":652,"line":254,"context":255},"views\\x-content-type-options.php",{"file":652,"line":254,"context":255},{"file":652,"line":258,"context":255},{"file":652,"line":258,"context":255},{"file":657,"line":469,"context":255},"views\\x-dns-prefetch-control.php",{"file":657,"line":469,"context":255},{"file":657,"line":320,"context":255},{"file":657,"line":320,"context":255},{"file":662,"line":547,"context":255},"views\\x-download-options.php",{"file":662,"line":547,"context":255},{"file":662,"line":665,"context":255},30,{"file":662,"line":665,"context":255},{"file":668,"line":254,"context":255},"views\\x-frame-options.php",{"file":668,"line":254,"context":255},{"file":668,"line":320,"context":255},{"file":668,"line":320,"context":255},{"file":673,"line":547,"context":255},"views\\x-permitted-cross-domain-policies.php",{"file":673,"line":547,"context":255},{"file":673,"line":665,"context":255},{"file":673,"line":665,"context":255},{"file":678,"line":547,"context":255},"views\\x-powered-by.php",{"file":678,"line":547,"context":255},{"file":678,"line":258,"context":255},{"file":678,"line":258,"context":255},{"file":683,"line":254,"context":255},"views\\x-robots-tag.php",{"file":683,"line":254,"context":255},{"file":683,"line":335,"context":255},{"file":683,"line":335,"context":255},{"file":683,"line":181,"context":255},{"file":683,"line":689,"context":255},61,{"file":683,"line":292,"context":255},{"file":683,"line":692,"context":255},66,{"file":683,"line":694,"context":255},71,{"file":683,"line":696,"context":255},72,{"file":683,"line":300,"context":255},{"file":683,"line":300,"context":255},{"file":683,"line":700,"context":255},83,{"file":683,"line":451,"context":255},{"file":703,"line":547,"context":255},"views\\x-ua-compatible.php",{"file":703,"line":547,"context":255},{"file":703,"line":665,"context":255},{"file":703,"line":665,"context":255},{"file":708,"line":254,"context":255},"views\\x-xss-protection.php",{"file":708,"line":254,"context":255},{"file":708,"line":320,"context":255},{"file":708,"line":320,"context":255},9,[],[715,731,750],{"entryPoint":716,"graph":717,"unsanitizedCount":88,"severity":40},"http_headers (http-headers.php:608)",{"nodes":718,"edges":729},[719,724],{"id":720,"type":721,"label":722,"file":196,"line":723},"n0","source","$_SERVER['HTTP_ORIGIN']",625,{"id":725,"type":726,"label":727,"file":196,"line":723,"wp_function":728},"n1","sink","header() [Header Injection]","header",[730],{"from":720,"to":725,"sanitized":237},{"entryPoint":732,"graph":733,"unsanitizedCount":28,"severity":749},"\u003Chttp-headers> (http-headers.php:0)",{"nodes":734,"edges":746},[735,736,737,741],{"id":720,"type":721,"label":722,"file":196,"line":723},{"id":725,"type":726,"label":727,"file":196,"line":723,"wp_function":728},{"id":738,"type":721,"label":739,"file":196,"line":740},"n2","$_SERVER",570,{"id":742,"type":726,"label":743,"file":196,"line":744,"wp_function":745},"n3","file_put_contents() [File Write]",1462,"file_put_contents",[747,748],{"from":720,"to":725,"sanitized":239},{"from":738,"to":742,"sanitized":239},"low",{"entryPoint":751,"graph":752,"unsanitizedCount":88,"severity":749},"\u003Cajax-inspect> (views\\ajax-inspect.php:0)",{"nodes":753,"edges":759},[754,756],{"id":720,"type":721,"label":755,"file":319,"line":419},"$_POST",{"id":725,"type":726,"label":757,"file":319,"line":320,"wp_function":758},"echo() [XSS]","echo",[760],{"from":720,"to":725,"sanitized":237},{"summary":762,"deductions":763},"The 'http-headers' plugin exhibits a mixed security posture. While it demonstrates good practices by having no unprotected entry points, all SQL queries use prepared statements, and a significant number of nonce and capability checks are implemented, there are significant concerns regarding output escaping and historical vulnerability patterns. The static analysis reveals that only 18% of outputs are properly escaped, leaving a substantial portion vulnerable to cross-site scripting (XSS) attacks. Furthermore, two out of three analyzed taint flows involve unsanitized paths, indicating potential vulnerabilities that could be exploited if they lead to sensitive operations. The plugin's history of four medium-severity vulnerabilities, including SSRF, XSS, Code Injection, and SQL Injection, is a major red flag. Although none are currently unpatched, the recurring nature of these severe vulnerability types suggests underlying architectural weaknesses or persistent coding errors that could resurface or manifest in new forms. The plugin's strengths lie in its controlled attack surface and secure database interactions, but the weak output sanitization and historical vulnerability profile necessitate caution.",[764,766,768,770],{"reason":765,"points":459},"Low percentage of properly escaped output",{"reason":767,"points":101},"Taint flows with unsanitized paths detected",{"reason":769,"points":459},"History of medium severity vulnerabilities (4 total)",{"reason":771,"points":459},"Common vulnerability types include XSS, Code Injection, SQLi, SSRF","2026-03-16T17:18:26.510Z",{"wat":774,"direct":787},{"assetPaths":775,"generatorPatterns":780,"scriptPaths":781,"versionParams":782},[776,777,778,779],"\u002Fwp-content\u002Fplugins\u002Fhttp-headers\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Fhttp-headers\u002Fcss\u002Ffront.css","\u002Fwp-content\u002Fplugins\u002Fhttp-headers\u002Fjs\u002Fadmin.js","\u002Fwp-content\u002Fplugins\u002Fhttp-headers\u002Fjs\u002Ffront.js",[],[778,779],[783,784,785,786],"http-headers\u002Fcss\u002Fadmin.css?ver=","http-headers\u002Fcss\u002Ffront.css?ver=","http-headers\u002Fjs\u002Fadmin.js?ver=","http-headers\u002Fjs\u002Ffront.js?ver=",{"cssClasses":788,"htmlComments":790,"htmlAttributes":793,"restEndpoints":795,"jsGlobals":797,"shortcodeOutput":799},[789],"http-headers-menu",[791,792],"\u003C!-- http_headers_start -->","\u003C!-- http_headers_end -->",[794],"data-hh-nonce",[796],"\u002Fwp-json\u002Fhttp-headers\u002Fv1\u002Fsettings",[798],"httpHeaders",[]]