Security Headers - ArmorPro Docs

HTTP security headers including X-Content-Type, X-Frame-Options, HSTS, Content Security Policy, and Permissions Policy.

Overview

Security headers are HTTP response headers that instruct browsers to enforce security policies when loading and rendering your site. They protect against cross-site scripting (XSS), clickjacking, MIME sniffing, and other common attack vectors. ArmorPro lets you configure all major security headers from a single settings panel.

Go to ArmorPro → Settings and find the Security Headers section to enable and configure headers.

How headers are sent

ArmorPro sends security headers via the WordPress send_headers action hook. Headers are skipped in the admin area and when PHP headers have already been sent to avoid conflicts. Before adding each header, ArmorPro probes for server-native headers (set by your hosting provider or web server configuration) to prevent duplicate headers that could cause unpredictable browser behavior.

Basic headers

These headers are included with all ArmorPro tiers and are safe to enable on virtually any site.

X-Content-Type-Options

Default: enabled
Value:nosniff

Prevents browsers from MIME sniffing a response away from the declared content type. Without this header, a browser might interpret an uploaded file as executable content, opening the door to MIME-based attacks.

X-Frame-Options

Default: SAMEORIGIN
Options:SAMEORIGIN, DENY, disabled

Controls whether your site can be embedded in an iframe. SAMEORIGIN allows framing only from your own domain. DENY blocks all framing entirely. This prevents clickjacking attacks where an attacker overlays invisible iframes to hijack user clicks.

Referrer-Policy

Default:strict-origin-when-cross-origin
Options:no-referrer, same-origin, strict-origin, strict-origin-when-cross-origin, no-referrer-when-downgrade, origin, origin-when-cross-origin, unsafe-url

Controls how much referrer information is sent when users navigate away from your site. The default strict-origin-when-cross-origin sends the full URL to same-origin requests but only the origin (domain) to cross-origin requests, and nothing when downgrading from HTTPS to HTTP.

X-XSS-Protection

Default: enabled
Value:1; mode=block

Enables the browser's built-in XSS filter. When a reflected XSS attack is detected, the browser blocks the page rather than attempting to sanitize it. This is a legacy header, but it is still recognized by some browsers and adds a secondary layer of defense.

Advanced headers (Pro)

These headers provide deeper browser-level security controls and require more careful configuration.

Permissions-Policy

Default: disabled

Restricts which browser features third-party content (and your own site) can use. ArmorPro provides individual toggles for each feature:

Camera: access to the device camera
Microphone: access to the device microphone
Geolocation: access to the user's location
Payment: use of the Payment Request API
Autoplay: automatic media playback

If your site does not use these features, disabling them prevents third-party scripts (ads, embeds, compromised dependencies) from accessing them.

Strict-Transport-Security (HSTS)

Default: disabled
Max-Age: 31536000 seconds (1 year) by default
Include Subdomains: optional toggle

Forces browsers to connect to your site exclusively over HTTPS. Once a browser receives this header, it will refuse HTTP connections for the duration of the max-age value, even if the user types http:// in the address bar. ArmorPro only sends this header on HTTPS requests.

Important

Once HSTS is enabled with a long max-age, browsers that have visited your site will refuse HTTP connections until the max-age expires. If you need to revert to HTTP for any reason, you will need to wait or clear the HSTS entry in each browser. Start with a short max-age (e.g., 300 seconds) while testing, then increase once you are confident your HTTPS configuration is stable.

Content Security Policy (CSP)

Default: disabled

The most powerful security header. CSP defines which sources are allowed to load scripts, styles, images, fonts, and other content on your site. ArmorPro provides a custom CSP string input field with AJAX validation that checks syntax before saving.

Common CSP directives:

default-src — fallback policy for all content types
script-src — where scripts can be loaded from
style-src — where stylesheets can be loaded from
img-src — where images can be loaded from
font-src — where fonts can be loaded from
connect-src — where AJAX/fetch requests can go

Start with Content-Security-Policy-Report-Only mode to monitor violations in the browser console without breaking anything. Once you have refined your policy, switch to enforcement mode.

Settings reference

Header	Default	Options	Tier
X-Content-Type-Options	Enabled (`nosniff`)	On / Off	All
X-Frame-Options	SAMEORIGIN	SAMEORIGIN / DENY / Off	All
Referrer-Policy	strict-origin-when-cross-origin	8 policy options	All
X-XSS-Protection	Enabled (`1; mode=block`)	On / Off	All
Permissions-Policy	Disabled	Per-feature toggles	Pro
Strict-Transport-Security	Disabled	Max-age, include subdomains	Pro
Content-Security-Policy	Disabled	Custom CSP string	Pro

Testing your headers

After configuring headers, verify they are being sent correctly by visiting securityheaders.com and entering your site URL. The tool grades your headers and highlights any that are missing or misconfigured.

Tip

Enable basic headers first (X-Content-Type-Options, X-Frame-Options, Referrer-Policy) as they rarely cause issues and immediately improve your security posture. Add HSTS and CSP carefully with thorough testing on a staging environment before enforcing on production.

Important

A misconfigured Content Security Policy can break your site's frontend by blocking legitimate scripts, styles, or images. Always test CSP in report-only mode first and review the browser console for violations before switching to enforcement.