[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQ6UsCS4k6AE7AUTmWmxRlYHig-fMNDDM0cmQZ2_lt2Q":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":134,"fingerprints":197},"security-headers-caching","Security Headers & Caching","7.4","Studio Be4","https:\u002F\u002Fprofiles.wordpress.org\u002Fstudiobe4\u002F","\u003Cp>Security Headers & Caching is a comprehensive WordPress plugin that helps protect your website by implementing essential HTTP security headers and optimizing performance through intelligent caching mechanisms. Compatible with all hosting providers including Aruba, SiteGround, Bluehost, and more.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Easy Configuration\u003C\u002Fstrong> – Simple admin interface to enable\u002Fdisable security headers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Security Headers\u003C\u002Fstrong> – Comprehensive security header support\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Smart Caching\u003C\u002Fstrong> – Configurable cache duration for better performance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Universal Compatibility\u003C\u002Fstrong> – Works with all hosting providers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No Conflicts\u003C\u002Fstrong> – Compatible with popular security and caching plugins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Translation Ready\u003C\u002Fstrong> – Full internationalization support\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security Headers Included\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>X-Powered-By\u003C\u002Fstrong> – Removes server technology information to prevent targeted attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content-Security-Policy (CSP)\u003C\u002Fstrong> – Controls which resources can be loaded to prevent XSS attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Strict-Transport-Security (HSTS)\u003C\u002Fstrong> – Forces HTTPS connections for enhanced security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-XSS-Protection\u003C\u002Fstrong> – Enables XSS filtering in older browsers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Frame-Options\u003C\u002Fstrong> – Prevents clickjacking attacks by controlling iframe embedding\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Content-Type-Options\u003C\u002Fstrong> – Prevents MIME type sniffing\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer-Policy\u003C\u002Fstrong> – Controls how much referrer information is shared\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permissions-Policy\u003C\u002Fstrong> – Controls browser features and APIs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Caching Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Configurable cache duration (seconds)\u003C\u002Fli>\n\u003Cli>Automatic cache headers management\u003C\u002Fli>\n\u003Cli>Compatible with CDN services\u003C\u002Fli>\n\u003Cli>No conflict with existing cache plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Why Security Headers Matter\u003C\u002Fh4>\n\u003Cp>Security headers are HTTP response headers that tell your browser how to behave when handling your website’s content. They help protect against:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Cross-Site Scripting (XSS) attacks\u003C\u002Fli>\n\u003Cli>Clickjacking attempts\u003C\u002Fli>\n\u003Cli>Code injection attacks\u003C\u002Fli>\n\u003Cli>MIME type sniffing\u003C\u002Fli>\n\u003Cli>Protocol downgrade attacks\u003C\u002Fli>\n\u003Cli>And much more…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Developer Friendly\u003C\u002Fh4>\n\u003Cp>The plugin provides filters for developers to customize headers:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>shc_security_headers\u003C\u002Fcode> – Filter to modify security headers array\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Test Your Security\u003C\u002Fh4>\n\u003Cp>After installing and configuring the plugin, test your site’s security at:\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fsecurityheaders.com\u002F\" rel=\"nofollow ugc\">Security Headers\u003C\u002Fa>\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fobservatory.mozilla.org\u002F\" rel=\"nofollow ugc\">Mozilla Observatory\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>Privacy\u003C\u002Fh4>\n\u003Cp>This plugin does not collect, store, or transmit any user data. It only modifies HTTP response headers sent by your server.\u003C\u002Fp>\n\u003Ch3>Developer Documentation\u003C\u002Fh3>\n\u003Ch4>Filters\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>shc_security_headers\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Modify the security headers before they are sent.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'shc_security_headers', function( $headers ) {\n    \u002F\u002F Add custom header\n    $headers['X-Custom-Header'] = 'custom-value';\n\n    \u002F\u002F Modify existing header\n    $headers['X-Frame-Options'] = 'DENY';\n\n    return $headers;\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Constants\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>SHC_VERSION\u003C\u002Fcode> – Plugin version number\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_DIR\u003C\u002Fcode> – Plugin directory path\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_URL\u003C\u002Fcode> – Plugin directory URL\u003C\u002Fli>\n\u003Cli>\u003Ccode>SHC_PLUGIN_BASENAME\u003C\u002Fcode> – Plugin basename\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For support, feature requests, or bug reports, please visit:\u003Cbr \u002F>\n* \u003Ca href=\"https:\u002F\u002Fwww.studiobe4.it\" rel=\"nofollow ugc\">Plugin Website\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Developed by \u003Ca href=\"https:\u002F\u002Fwww.studiobe4.it\" rel=\"nofollow ugc\">Studio Be4\u003C\u002Fa> – Web Design & Development Agency\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003C\u002Fp>\n","Enhance your WordPress site security with HTTP security headers and improve performance with smart caching. Works with all hosting providers.",20,846,0,"2025-10-08T11:04:00.000Z","6.8.5","5.9","7.2",[19,20,21,22,23],"cache","csp","headers","hsts","security","https:\u002F\u002Fwww.studiobe4.it\u002Fsecurity-headers-caching","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecurity-headers-caching.7.4.zip",100,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"studiobe4",1,30,94,"2026-04-04T06:59:19.397Z",[37,57,73,99,118],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":47,"num_ratings":48,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":6,"tags":52,"homepage":55,"download_link":56,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"headers-security-advanced-hsts-wp","Headers Security Advanced & HSTS WP","5.2.5","Andrea Ferro","https:\u002F\u002Fprofiles.wordpress.org\u002Funicorn03\u002F","\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is Best all-in-one a free plug-in for all WordPress users. Deactivating this plugin will return your site configuration exactly to the state it was in before.\u003C\u002Fp>\n\u003Cp>The \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> project implements HTTP response headers that your site can use to increase the security of your website. The plug-in will automatically set up all Best Practices (you don’t have to think about anything), these HTTP response headers can prevent modern browsers from running into easily predictable vulnerabilities. The Headers Security Advanced & HSTS WP project wants to popularize and increase awareness and usage of these headers for all wordpress users.\u003C\u002Fp>\n\u003Cp>This plugin is developed by OpenHeaders by irn3, we care about WordPress security and best practices.\u003C\u002Fp>\n\u003Cp>Check out the best features of \u003Cstrong>Headers Security Advanced & HSTS WP:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>X-XSS-Protection (Deprecated)\u003C\u002Fli>\n\u003Cli>Pragma (Deprecated)\u003C\u002Fli>\n\u003Cli>Public-Key-Pins (Deprecated)\u003C\u002Fli>\n\u003Cli>Expect-CT (Deprecated)\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Origin\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Methods\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Headers\u003C\u002Fli>\n\u003Cli>X-Content-Security-Policy\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-Permitted-Cross-Domain-Policies\u003C\u002Fli>\n\u003Cli>X-Powered-By\u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>HTTP Strict Transport Security \u002F HSTS\u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Clear-Site-Data\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Resource-Policy\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003Cli>Strict-dynamic\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>FLoC (Federated Learning of Cohorts)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is based on \u003Cstrong>OWASP CSRF\u003C\u002Fstrong> to protect your wordpress site. Using OWASP CSRF, once the plugin is installed, it will provide full CSRF mitigation without having to call a method to use nonce on the output. The site will be secure despite having other vulnerable plugins (CSRF).\u003C\u002Fp>\n\u003Cp>HTTP security headers are a critical part of your website’s security. After automatic implementation with Headers Security Advanced & HSTS WP, they protect you from the most notorious types of attacks your site might encounter. These headers protect against XSS, code injection, clickjacking, etc.\u003C\u002Fp>\n\u003Cp>We have put a lot of effort into making the most important services operational with \u003Cstrong>Content Security Policy (CSP)\u003C\u002Fstrong>, below are some examples that we have tested and used with \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>CSP usage for \u003Cstrong>Google Tag Manager\u003C\u002Fstrong>\u003Cbr \u002F>\nworld’s most popular tag manager\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Gravatar\u003C\u002Fstrong>\u003Cbr \u002F>\nAvatar service for WordPress and Social sites\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>WordPress Internal Media\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport WordPress media\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Youtube Embedded Video SDK\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Youtube embedded frames and JS SDK\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>CookieLaw\u003C\u002Fstrong>\u003Cbr \u002F>\nprivacy technology to meet regulatory requirements\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Mailchimp\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Mailchimp automation, SDK and modules\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Google Analytics\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for basic conversion domains such as: stats.g.doubleclick.net and www.google.com\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Google Fonts\u003C\u002Fstrong>\u003Cbr \u002F>\nyou’re not loading it on the page, chances are one of your SDKs is using it\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Facebook\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Facebook SDK functionality\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Stripe\u003C\u002Fstrong>\u003Cbr \u002F>\nhighly secure online payment system\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>New Relic\u003C\u002Fstrong>\u003Cbr \u002F>\nit’s a registration and monitoring utility\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Linkedin Tags + SDKs\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Linkedin Insight, Linkedin Ads and SDK\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>OneTrust\u003C\u002Fstrong>\u003Cbr \u002F>\nOneTrust support helps companies manage privacy requirements\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Moat\u003C\u002Fstrong>\u003Cbr \u002F>\nMoat support to measurement suite such as: ad verification, brand safety, advertising and coverage\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>jQuery\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport of jQuery – JS library\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Twitter Widgets & SDKs\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Connect, Widgets and the Twitter client-side SDK\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Google Maps\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport Google Maps as The ggpht used by streetview\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Quantcast Choice\u003C\u002Fstrong>\u003Cbr \u002F>\nQuantcast support for privacy such as GDPR and CCPA\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Twitter Ads & Analytics\u003C\u002Fstrong>\u003Cbr \u002F>\nTwitter support for advertising and Analytics\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Paypal\u003C\u002Fstrong>\u003Cbr \u002F>\nPayPal support for online payment system\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Drift\u003C\u002Fstrong>\u003Cbr \u002F>\nDrift and Driftt support\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Cookiebot\u003C\u002Fstrong>\u003Cbr \u002F>\ncookie and tracker support, GDPR\u002FePrivacy and CCPA compliance\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Vimeo Embedded Videos SDK\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport frames, JS SDK, Froogaloop integration\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>AppNexus (now Xandr)\u003C\u002Fstrong>\u003Cbr \u002F>\nAppNexus support for custom retargeting\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Mixpanel\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport analytics tool with SDK\u002FJS to collect client-side data\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Font Awesome\u003C\u002Fstrong>\u003Cbr \u002F>\ntoolkit support for fonts and icons over CSS and Less\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Google reCAPTCHA\u003C\u002Fstrong>\u003Cbr \u002F>\nreCAPTCHA support for fraud and bot protection\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Bootstrap\u003C\u002Fstrong> CDN\u003Cbr \u002F>\nBootstrap support for CSS frameworks\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>HubSpot\u003C\u002Fstrong>\u003Cbr \u002F>\nHubspot support with many features, used for monitoring and mkt functionality\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Hotjar\u003C\u002Fstrong>\u003Cbr \u002F>\nHotjar tracker support for analytics and metrics\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>WP.com\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for wp.com hosting\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Akamai mPulse\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Akamai mPulse, for origin and perimeter integrations\u003C\u002Fli>\n\u003Cli>CSP usage for \u003Cstrong>Cloudflare – Rocket-Loader & Mirage\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport for Mirage libraries for performance acceleration\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>Cloudflare – CDN.js\u003C\u002Fstrong>\u003Cbr \u002F>\nCloudflare’s open CDN support with multiple libraries\u003C\u002Fli>\n\u003Cli>Using CSP for \u003Cstrong>jsDelivr\u003C\u002Fstrong>\u003Cbr \u002F>\nsupport jsDelivr free CDN for Open Source\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> is based on the OWASP CSRF standard to protect your wordpress site. Using the OWASP CSRF standard, once the plugin is installed, you can customize CSP rules for full CSRF mitigation. The site will be secure despite having other vulnerable plugins (CSRF).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Integration with Sentry, Report URI, URIports and Datadog\u003C\u002Fstrong>\u003Cbr \u002F>\nSentry is a well-known platform for monitoring and tracking errors in applications. By integrating Sentry with our plugin, users can:\u003Cbr \u002F>\n  * Receive detailed reports on content security policy (CSP) violations.\u003Cbr \u002F>\n  * Monitor and analyze JavaScript exceptions occurring on their site.\u003Cbr \u002F>\n  * Benefit from advanced tools for proactive troubleshooting.\u003C\u002Fp>\n\u003Cp>Monitoring and Integration with Sentry, Datadog and URI Reports for optimal security.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>All Free Features\u003C\u002Fstrong>\u003Cbr \u002F>\nThe \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> version includes all the free features.\u003C\u002Fp>\n\u003Cp>We have implemented \u003Cstrong>FLoC (Federated Learning of Cohorts)\u003C\u002Fstrong>, using best practices. First, using \u003Cstrong>Headers Security Advanced & HSTS WP\u003C\u002Fstrong> prevents the browser from including your site in the “cohort calculation” on \u003Cstrong>FLoC (Federated Learning of Cohorts)\u003C\u002Fstrong>. This means that nothing can call document.interestCohort() to get the FLoC ID of the currently used client. Obviously, this does nothing outside of your currently visited site and does not “disable” FLoC on the client beyond that scope.\u003C\u002Fp>\n\u003Cp>Even though \u003Cstrong>FLoC\u003C\u002Fstrong> is still fairly new and not yet widely supported, as programmers we think that privacy protection elements are important, so we choose to give you the feature of being opt out of FLoC! We’ve created a special \u003Cstrong>“automatic blocking of FLoC”\u003C\u002Fstrong> feature, trying to always \u003Cstrong>offer the best tool with privacy protection and cyber security\u003C\u002Fstrong> as main targets and focus.\u003C\u002Fp>\n\u003Cp>Analyze your site before and after using \u003Cem>Headers Security Advanced & HSTS WP\u003C\u002Fem> security headers are self-configured according to HTTP Security Headers and HTTP Strict Transport Security \u002F HSTS best practices.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Check HTTP Security Headers on \u003Ca href=\"https:\u002F\u002Fsecurityheaders.com\u002F\" rel=\"nofollow ugc\">securityheaders.com\u003C\u002Fa> \u003C\u002Fli>\n\u003Cli>Check HTTP Strict Transport Security \u002F HSTS at \u003Ca href=\"https:\u002F\u002Fhstspreload.org\u002F\" rel=\"nofollow ugc\">hstspreload.org\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check WebPageTest at \u003Ca href=\"https:\u002F\u002Fwww.webpagetest.org\u002F\" rel=\"nofollow ugc\">webpagetest.org\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check HSTS test website \u003Ca href=\"https:\u002F\u002Fgf.dev\u002Fhsts-test\u002F\" rel=\"nofollow ugc\">gf.dev\u002Fhsts-test\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check CSP test website \u003Ca href=\"https:\u002F\u002Fcsper.io\u002Fevaluator\" rel=\"nofollow ugc\">csper.io\u002Fevaluator\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Check CSP Evaluator \u003Ca href=\"https:\u002F\u002Fcsp-evaluator.withgoogle.com\u002F\" rel=\"nofollow ugc\">csp-evaluator.withgoogle.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>CSP Content Security Policy Generator \u003Ca href=\"https:\u002F\u002Faddons.mozilla.org\u002Fen-US\u002Ffirefox\u002Faddon\u002Fcontent-security-policy-gen\u002F\" rel=\"nofollow ugc\">addons.mozilla.org\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin is updated periodically, our limited support is free, we are available for your feedback (bugs, compatibility issues or recommendations for next updates). We are usually fast :-D.\u003C\u002Fp>\n","Best all-in-one WordPress security plugin, uses HTTP & HSTS response headers to avoid vulnerabilities: XSS, injection, clickjacking. Force HTTP\u002FHTTPS.",90000,1308613,98,77,"2026-01-18T14:24:00.000Z","6.9.4","4.7",[53,20,21,54,22],"clickjacking","headers-security","https:\u002F\u002Fopenheaders.org","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheaders-security-advanced-hsts-wp.5.2.5.zip",{"slug":58,"name":59,"version":60,"author":61,"author_profile":62,"description":63,"short_description":64,"active_installs":65,"downloaded":66,"rating":13,"num_ratings":13,"last_updated":67,"tested_up_to":15,"requires_at_least":68,"requires_php":6,"tags":69,"homepage":67,"download_link":71,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":72},"fix-it-easy-security-headers","Fix It Easy Security Headers","1.1","WP Fix It - WordPress Experts","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpfixit\u002F","\u003Cp>\u003Cstrong>WP Fix It Easy Security Headers\u003C\u002Fstrong> adds a simple page under \u003Cstrong>Tools \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Security Headers\u003C\u002Fstrong> where you can toggle common HTTP security headers:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Strict-Transport-Security (HSTS)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Content-Security-Policy (CSP)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Frame-Options\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>X-Content-Type-Options\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Referrer-Policy\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Permissions-Policy\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>On activation, all headers are \u003Cstrong>enabled by default\u003C\u002Fstrong> and you’re redirected to the settings screen.\u003C\u002Fp>\n\u003Cp>For convenience, the page and the Plugins screen include a \u003Cstrong>“Check Headers”\u003C\u002Fstrong> button that opens SecurityHeaders.com with your site’s URL prefilled (built dynamically from \u003Ccode>home_url()\u003C\u002Fcode>).\u003C\u002Fp>\n\u003Ch3>Notes on CSP\u003C\u002Fh3>\n\u003Cp>This plugin ships with a \u003Cstrong>permissive\u003C\u002Fstrong> default CSP intended to “work everywhere” out of the box (allows most external sources and inline code). For stronger protection, you should harden the directives for your specific site.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>One-click toggles for popular headers\u003C\u002Fli>\n\u003Cli>Dynamic “Check Headers” scan link\u003C\u002Fli>\n\u003Cli>Uses the WordPress Settings API (nonce + capability checks)\u003C\u002Fli>\n\u003Cli>Output escaping and sanitization following PHPCS\u003C\u002Fli>\n\u003C\u002Ful>\n","Configure core HTTP security headers for your WordPress site in a few clicks.",10,247,"","5.8",[20,21,22,70,23],"referrer-policy","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffix-it-easy-security-headers.1.1.zip","2026-03-15T10:48:56.248Z",{"slug":74,"name":75,"version":76,"author":77,"author_profile":78,"description":79,"short_description":80,"active_installs":81,"downloaded":82,"rating":83,"num_ratings":84,"last_updated":85,"tested_up_to":86,"requires_at_least":87,"requires_php":88,"tags":89,"homepage":94,"download_link":95,"security_score":96,"vuln_count":97,"unpatched_count":13,"last_vuln_date":98,"fetched_at":28},"http-headers","HTTP Headers","1.19.2","Dimitar Ivanov","https:\u002F\u002Fprofiles.wordpress.org\u002Fzinoui\u002F","\u003Cp>HTTP Headers gives your control over the http headers returned by your blog or website.\u003C\u002Fp>\n\u003Cp>Headers supported by HTTP Headers includes:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Access-Control-Allow-Origin\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Credentials\u003C\u002Fli>\n\u003Cli>Access-Control-Max-Age\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Methods\u003C\u002Fli>\n\u003Cli>Access-Control-Allow-Headers\u003C\u002Fli>\n\u003Cli>Access-Control-Expose-Headers\u003C\u002Fli>\n\u003Cli>Age \u003C\u002Fli>\n\u003Cli>Content-Security-Policy\u003C\u002Fli>\n\u003Cli>Content-Security-Policy-Report-Only\u003C\u002Fli>\n\u003Cli>Cache-Control\u003C\u002Fli>\n\u003Cli>Clear-Site-Data\u003C\u002Fli>\n\u003Cli>Connection\u003C\u002Fli>\n\u003Cli>Content-Encoding\u003C\u002Fli>\n\u003Cli>Content-Type\u003C\u002Fli>\n\u003Cli>Cross-Origin-Embedder-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Opener-Policy\u003C\u002Fli>\n\u003Cli>Cross-Origin-Resource-Policy\u003C\u002Fli>\n\u003Cli>Expect-CT\u003C\u002Fli>\n\u003Cli>Expires\u003C\u002Fli>\n\u003Cli>Feature-Policy\u003C\u002Fli>\n\u003Cli>NEL\u003C\u002Fli>\n\u003Cli>Permissions-Policy\u003C\u002Fli>\n\u003Cli>Pragma\u003C\u002Fli>\n\u003Cli>P3P\u003C\u002Fli>\n\u003Cli>Referrer-Policy\u003C\u002Fli>\n\u003Cli>Report-To\u003C\u002Fli>\n\u003Cli>Strict-Transport-Security\u003C\u002Fli>\n\u003Cli>Timing-Allow-Origin\u003C\u002Fli>\n\u003Cli>Vary\u003C\u002Fli>\n\u003Cli>WWW-Authenticate\u003C\u002Fli>\n\u003Cli>X-Content-Type-Options\u003C\u002Fli>\n\u003Cli>X-DNS-Prefetch-Control\u003C\u002Fli>\n\u003Cli>X-Download-Options\u003C\u002Fli>\n\u003Cli>X-Frame-Options\u003C\u002Fli>\n\u003Cli>X-Permitted-Cross-Domain-Policies\u003C\u002Fli>\n\u003Cli>X-Powered-By\u003C\u002Fli>\n\u003Cli>X-Robots-Tag\u003C\u002Fli>\n\u003Cli>X-UA-Compatible\u003C\u002Fli>\n\u003Cli>X-XSS-Protection\u003C\u002Fli>\n\u003C\u002Ful>\n","HTTP Headers adds CORS & security HTTP headers to your website.",50000,715994,86,70,"2024-12-22T11:49:00.000Z","6.7.5","3.2","5.3",[90,91,92,74,93],"cors-headers","csp-header","custom-headers","security-headers","https:\u002F\u002Fgithub.com\u002Friverside\u002Fhttp-headers","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhttp-headers.1.19.2.zip",91,4,"2023-07-13 00:00:00",{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":107,"downloaded":108,"rating":83,"num_ratings":109,"last_updated":110,"tested_up_to":111,"requires_at_least":112,"requires_php":17,"tags":113,"homepage":67,"download_link":116,"security_score":117,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"csp-manager","Content Security Policy Manager","1.2.1","Patrick Sletvold","https:\u002F\u002Fprofiles.wordpress.org\u002F16patsle\u002F","\u003Cp>\u003Cstrong>Content Security Policy Manager\u003C\u002Fstrong> is a WordPress plugin that allows you to easily configure \u003Ca href=\"https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FHTTP\u002FCSP\" rel=\"nofollow ugc\">Content Security Policy headers\u003C\u002Fa> for your site. You can have different CSP headers for the admin interface, the frontend for logged in users, and the frontend for regular visitors. The CSP directives can be individually enabled, and each policy can be set to enforce, report or be disabled.\u003C\u002Fp>\n\u003Cp>Please note that this plugin offers limited help in figuring out what the contents of the policy should be. It only lets you configure the CSP in a easy to use interface.\u003C\u002Fp>\n","Plugin for configuring Content Security Policy headers for your site. Allows different CSP headers for admin, logged inn frontend and regular visitors",2000,33739,6,"2022-08-09T17:33:00.000Z","6.1.10","4.6",[114,20,23,93,115],"content-security-policy","xss","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-manager.1.2.1.zip",85,{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":26,"downloaded":126,"rating":84,"num_ratings":97,"last_updated":127,"tested_up_to":50,"requires_at_least":16,"requires_php":128,"tags":129,"homepage":132,"download_link":133,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"csp-antsst","CSP Friendly Security","1.5.2","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Adds a CSP header compatible with most WP plugins without breaking styles.\u003C\u002Fp>\n","Adds a CSP header compatible with most WP plugins without breaking styles.",2755,"2026-01-01T13:42:00.000Z","7.3",[114,20,130,93,131],"nonces","sha256-hashes","https:\u002F\u002Ftsw.ovh\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcsp-antsst.1.5.2.zip",{"attackSurface":135,"codeSignals":178,"taintFlows":190,"riskAssessment":191,"analyzedAt":196},{"hooks":136,"ajaxHandlers":174,"restRoutes":175,"shortcodes":176,"cronEvents":177,"entryPointCount":13,"unprotectedCount":13},[137,142,146,150,153,157,162,166,171,173],{"type":138,"name":139,"callback":140,"file":141,"line":33},"action","admin_menu","add_admin_menu","admin\\class-shc-admin.php",{"type":138,"name":143,"callback":144,"file":141,"line":145},"admin_init","register_settings",31,{"type":138,"name":147,"callback":148,"file":141,"line":149},"admin_enqueue_scripts","enqueue_admin_styles",32,{"type":138,"name":143,"callback":151,"file":141,"line":152},"handle_documentation_download",33,{"type":138,"name":154,"callback":155,"priority":65,"file":156,"line":145},"send_headers","add_security_headers","includes\\class-shc-headers.php",{"type":158,"name":159,"callback":160,"priority":65,"file":156,"line":161},"filter","shc_security_headers","get_default_headers",34,{"type":138,"name":163,"callback":164,"priority":32,"file":156,"line":165},"init","remove_x_powered_by",160,{"type":138,"name":167,"callback":168,"file":169,"line":170},"plugins_loaded","load_textdomain","security-headers-caching.php",78,{"type":138,"name":167,"callback":163,"file":169,"line":172},81,{"type":138,"name":167,"callback":163,"file":169,"line":117},[],[],[],[],{"dangerousFunctions":179,"sqlUsage":180,"outputEscaping":182,"fileOperations":13,"externalRequests":13,"nonceChecks":32,"capabilityChecks":188,"bundledLibraries":189},[],{"prepared":13,"raw":13,"locations":181},[],{"escaped":183,"rawEcho":32,"locations":184},17,[185],{"file":141,"line":186,"context":187},473,"raw output",2,[],[],{"summary":192,"deductions":193},"The \"security-headers-caching\" v7.4 plugin exhibits a strong security posture based on the provided static analysis. The complete absence of detectable attack surface points like AJAX handlers, REST API routes, or shortcodes significantly minimizes the potential for external exploitation. The code also demonstrates good practices with 100% of SQL queries using prepared statements, a high percentage of properly escaped output, and the presence of nonce and capability checks. This suggests a well-developed and security-conscious approach to its codebase.\n\nWhile the static analysis reveals no critical or high-severity issues, and the vulnerability history is clean, there's a small area for potential improvement. The 94% output escaping rate, while good, means that approximately 6% of outputs are not properly escaped. This could, in a theoretical scenario with specific data inputs, lead to minor cross-site scripting (XSS) vulnerabilities if malicious data were injected and displayed without proper sanitization. However, given the overall robust findings, this remains a low-level concern. The plugin's strengths far outweigh any minor areas for improvement, making it a relatively secure option.",[194],{"reason":195,"points":97},"Unescaped output (approx 6%)","2026-03-16T22:50:29.567Z",{"wat":198,"direct":207},{"assetPaths":199,"generatorPatterns":202,"scriptPaths":203,"versionParams":204},[200,201],"\u002Fwp-content\u002Fplugins\u002Fsecurity-headers-caching\u002Fadmin\u002Fcss\u002Fshc-admin.css","\u002Fwp-content\u002Fplugins\u002Fsecurity-headers-caching\u002Fadmin\u002Fjs\u002Fshc-admin.js",[],[],[205,206],"security-headers-caching\u002Fadmin\u002Fcss\u002Fshc-admin.css?ver=","security-headers-caching\u002Fadmin\u002Fjs\u002Fshc-admin.js?ver=",{"cssClasses":208,"htmlComments":210,"htmlAttributes":211,"restEndpoints":212,"jsGlobals":213,"shortcodeOutput":215},[209],"shc-admin-settings",[],[],[],[214],"shc_admin_params",[]]