Strict-Transport-SecurityEssential
Forces HTTPS and reduces downgrade attacks.
WordPress Security Headers Generator
Configure HTTP security headers for WordPress and export ready-to-paste rules for Apache, Nginx, or PHP.
WordPressHeaders: 6
Content-Security-PolicyEssential
Limits trusted content sources and helps block XSS.
X-Frame-OptionsEssential
Prevents clickjacking by controlling iframe embedding.
X-Content-Type-OptionsEssential
Disables MIME type sniffing in modern browsers.
Referrer-PolicyRecommended
Controls how much referrer data browsers send on navigation.
Permissions-PolicyRecommended
Restricts access to powerful browser features like camera and geolocation.
X-XSS-ProtectionLegacy
Legacy protection for old browsers that still read the header.
Apache .htaccess Rules
# Security Headers - Generated by GAP3 Tools <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests" Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set X-XSS-Protection "1; mode=block" </IfModule>
Prioritize Core Headers
Start with HSTS, CSP, X-Frame-Options, and X-Content-Type-Options before adding more advanced policies.
Test Live Responses
After deploying your rules, run the live site through securityheaders.com or Mozilla Observatory to confirm the final response headers.
Validate CSP Carefully
Strict CSP values can block third-party embeds or inline scripts, so review the final site carefully before shipping.