Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Security Headers

Modern browsers support security headers that tell them how to handle your content safely. Without these headers, your site is more vulnerable to cross-site scripting, clickjacking, and other attacks. This module adds the most important security headers with a few clicks.

Use Cases

  • Prevent your site from being embedded in malicious iframes (clickjacking)
  • Block cross-site scripting (XSS) attacks
  • Force browsers to respect your content types
  • Enforce HTTPS-only connections for returning visitors
  • Control what information is sent in referrer headers

How It Works

When enabled, the module adds security headers to every HTTP response from your WordPress site. These headers instruct browsers on how to handle your content securely. You choose which headers to enable based on your needs.

Available Headers

HeaderWhat It DoesRisk Level
X-XSS-ProtectionTells browsers to block pages if XSS attacks are detectedSafe
X-Frame-OptionsPrevents your site from being embedded in iframes on other sitesSafe
X-Content-Type-OptionsStops browsers from guessing content types (MIME sniffing)Safe
Referrer-PolicyControls how much URL information is shared with other sitesSafe
HSTSForces HTTPS-only connections for 1 yearRequires HTTPS
Content-Security-PolicyRestricts which resources can load on your pagesMay break things

Settings

Navigate to Switchboard → Security → Security Headers and toggle on the headers you want to enable.

Default headers (enabled automatically):

  • X-XSS-Protection
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy

Optional headers (enable manually):

  • HSTS (only if your site is fully HTTPS)
  • Content-Security-Policy (test carefully first)

Header Details

X-XSS-Protection

X-XSS-Protection: 1; mode=block

Enables the browser’s built-in XSS filter. If an attack is detected, the page is blocked entirely rather than sanitized.

X-Frame-Options

X-Frame-Options: SAMEORIGIN

Allows your site to be embedded only in iframes on your own domain. Blocks embedding on other sites, preventing clickjacking attacks where attackers overlay invisible iframes to trick users into clicking things.

X-Content-Type-Options

X-Content-Type-Options: nosniff

Prevents browsers from “sniffing” content types. Without this, a browser might interpret a file as a different type than declared, which can be exploited for attacks.

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

When users click links to leave your site, this controls what URL information is shared:

  • Same-origin requests: full URL sent
  • Cross-origin requests: only the origin (domain) is sent
  • Downgrade (HTTPS to HTTP): nothing sent

HSTS (HTTP Strict Transport Security)

Strict-Transport-Security: max-age=31536000; includeSubDomains

Tells browsers to only connect via HTTPS for the next year. Once a browser sees this header, it will refuse to connect over HTTP even if someone types http:// directly.

Only enable HSTS if your site is fully HTTPS. If you enable HSTS without a working SSL certificate, visitors won’t be able to access your site at all. The browser will refuse to connect.

Content-Security-Policy (CSP)

Content-Security-Policy: default-src 'self'

The strictest header. Only allows resources (scripts, styles, images) from your own domain. External resources like Google Fonts, analytics scripts, or CDN-hosted libraries will be blocked.

CSP can break your site. Many WordPress themes and plugins load external resources. Enable CSP only if you’re prepared to troubleshoot blocked resources. Test thoroughly in a staging environment first.

Verification

After enabling headers, verify they’re working:

  1. Open your site in Chrome or Firefox
  2. Open Developer Tools (F12)
  3. Go to the Network tab
  4. Refresh the page
  5. Click on the main document request
  6. Check the Response Headers section

You should see your enabled security headers listed.

Online tools for testing:

FAQ

Will these headers break my site?The four default headers (XSS, Frame, Content-Type, Referrer) are safe for virtually all sites. HSTS requires HTTPS. CSP is the only header that commonly causes issues by blocking external resources.
My theme uses Google Fonts. Will CSP block them?Yes, the default CSP (default-src 'self') blocks all external resources. Either don’t enable CSP, or you’ll need a custom CSP rule that allows Google Fonts. This module provides a basic CSP — custom policies require code-level configuration.
Do I need all these headers?The four default headers provide solid baseline protection with no downsides. HSTS adds protection if you’re committed to HTTPS. CSP is only worth the complexity if you have specific security requirements.
Will this affect SEO?No. Security headers don’t affect how search engines crawl or index your content. If anything, security improvements can indirectly help SEO since Google considers site security a ranking factor.
My security scan still shows issues. Why?Security scanners check for many things beyond headers. This module addresses HTTP headers specifically. Other issues like outdated software, weak passwords, or missing SSL certificates require different solutions.
PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Auto Set Featured Image
Next
Activity Log