Header Fortress is a WordPress plugin for managing modern security headers from the admin area, with CSP nonce support, presets, live scanning, and built-in reporting tools.
Header Fortress can manage:
Content-Security-PolicyStrict-Transport-SecurityX-Frame-OptionsX-Content-Type-OptionsReferrer-PolicyPermissions-PolicyCross-Origin-Opener-PolicyCross-Origin-Embedder-PolicyCross-Origin-Resource-PolicyClear-Site-DataReport-ToNEL
It also includes:
- dynamic CSP nonce injection for WordPress-generated scripts
- security presets for different hardening profiles
- a scanner that compares plugin-managed headers with the live response
- a reporting screen for recent stored browser reports
- import, export, and reset tools
- The plugin works at the WordPress layer.
- If Cloudflare, LiteSpeed, Nginx, Apache, a reverse proxy, or another plugin manages the same headers, the final response can differ from the plugin configuration.
HSTSis only sent on HTTPS responses.- Reporting features such as
Report-ToandNELexpose a public browser-facing endpoint and should be reviewed before production rollout.
- Copy the
header-fortressdirectory intowp-content/plugins/. - Activate the plugin in WordPress.
- Open
Settings > Header Fortress. - Start with a preset or configure each header directly.
- Use the
Scannertab to validate the live response.
- Main bootstrap: header-fortress.php
- Core settings: includes/class-settings.php
- Admin UI: includes/class-admin-page.php
- Runtime headers: includes/class-header-manager.php
- Reports endpoint: includes/class-report-manager.php
- Scanner: includes/class-scanner.php
The plugin does not modify server config files such as .htaccess, wp-config.php, Apache vhosts, or Nginx configs.
It stores data in WordPress options and transients, including:
- plugin settings
- cached scanner results
- recent stored reports
- short-lived deduplication and rate-limit transients for the reporting endpoint
GPL-2.0-or-later