Security Headers

Security headers are part of the response your server sends back to visitors – these headers tell the visitors how the server wants them to respond.

Strict Transport Security (HSTS)

This ensures that the browser can only communicate over HTTPS – eliminating any chance of an unsecured HTTP connection.

Content Security Policy (CSP)

CSP is protection against Cross-Site Scripting. Although it does not eliminate the possibility of code injection attacks, it highly increases the protection against people trying to inject malicious code into your website.

Cross-Site Scripting Protection (X-XSS)

This filter doesn’t let the page load when it detects a cross-site scripting attack. This filter is currently enabled by default in Google Chrome, Internet Explorer and Safari.


This header prevents your website from being embedded in other websites via iframes. This helps prevent Clickjacking, where a user could be fooled into being on your website. Done correctly, a visitor would think he would be on the right website but would allow a hacker to eavesdrop on the data sent back and forth.


This header is a countermeasure that prevents hackers from trying to execute malicious code as a different file type. For instance, you might have protection against uploading JavaScript .js files, but without the X-Content-Type-Options header, a hacker could execute malicious JavaScript code via an innocent-looking .txt file.

This is known as MIME sniffing, and it could allow hackers to execute cross-site scripting attacks.

Easy to protect your website with security headers

WP Security Ninja comes with a very easy way to get your website protected with security headers – You can easily protect yourself by clicking a few checkboxes or using the getting started wizard.

A few clicks allow you to turn on each header and gives you a chance to fine-tune each setting as required.

Some of these security headers can prevent your website from functioning properly if not configured correctly. For instance, Content-Security-Policy can prevent Google Analytics tracking from loading.

Screenshot from the plugin interface:

Security Headers - default settings

Security Headers – default settings

Was this helpful?

Still need help?

If searching the knowledge base does not help you, please contact support.

Fast and easy to use WordPress Security

Instantly protect your website from 600+ million bad IPs

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)

We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!


Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)