Title: Headers Security Advanced & HSTS WP
Author: Andrea Ferro
Published: 4 setembre 2021
Last modified: 16 març 2026
---
Search plugins
# Headers Security Advanced & HSTS WP
Per [Andrea Ferro](https://profiles.wordpress.org/unicorn03/)
[Download](https://downloads.wordpress.org/plugin/headers-security-advanced-hsts-wp.5.3.2.zip)
* [Details](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/#description)
* [Reviews](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/#reviews)
* [Installation](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/#installation)
* [Development](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/#developers)
[Support](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
## Descripcion
**Headers Security Advanced & HSTS WP** is Best all-in-one a free plug-in for all
WordPress users. Deactivating this plugin will return your site configuration exactly
to the state it was in before.
The **Headers Security Advanced & HSTS WP** project implements HTTP response headers
that your site can use to increase the security of your website. The plug-in will
automatically set up all Best Practices (you don’t have to think about anything),
these HTTP response headers can prevent modern browsers from running into easily
predictable vulnerabilities. The Headers Security Advanced & HSTS WP project wants
to popularize and increase awareness and usage of these headers for all wordpress
users.
This plugin is developed by OpenHeaders by irn3, we care about WordPress security
and best practices.
Check out the best features of **Headers Security Advanced & HSTS WP:**
* X-XSS-Protection (Deprecated)
* Pragma (Deprecated)
* Public-Key-Pins (Deprecated)
* Expect-CT (Deprecated)
* Access-Control-Allow-Origin
* Access-Control-Allow-Methods
* Access-Control-Allow-Headers
* X-Content-Security-Policy
* X-Content-Type-Options
* X-Frame-Options
* X-Permitted-Cross-Domain-Policies
* X-Powered-By
* Content-Security-Policy
* Referrer-Policy
* HTTP Strict Transport Security / HSTS
* Content-Security-Policy
* Content-Security-Policy-Report-Only
* Clear-Site-Data
* Cross-Origin-Embedder-Policy-Report-Only
* Cross-Origin-Opener-Policy-Report-Only
* Cross-Origin-Embedder-Policy
* Cross-Origin-Opener-Policy
* Cross-Origin-Resource-Policy
* Permissions-Policy
* Strict-dynamic
* Strict-Transport-Security
* FLoC (Federated Learning of Cohorts)
**Headers Security Advanced & HSTS WP** is based on **OWASP CSRF** to protect your
wordpress site. Using OWASP CSRF, once the plugin is installed, it will provide
full CSRF mitigation without having to call a method to use nonce on the output.
The site will be secure despite having other vulnerable plugins (CSRF).
HTTP security headers are a critical part of your website’s security. After automatic
implementation with Headers Security Advanced & HSTS WP, they protect you from the
most notorious types of attacks your site might encounter. These headers protect
against XSS, code injection, clickjacking, etc.
We have put a lot of effort into making the most important services operational
with **Content Security Policy (CSP)**, below are some examples that we have tested
and used with **Headers Security Advanced & HSTS WP**:
* CSP usage for **Google Tag Manager**
world’s most popular tag manager
* Using CSP for **Gravatar**
Avatar service for WordPress and Social sites
* Using CSP for **WordPress Internal Media**
support WordPress media
* Using CSP for **Youtube Embedded Video SDK**
support Youtube embedded frames
and JS SDK
* CSP usage for **CookieLaw**
privacy technology to meet regulatory requirements
* CSP usage for **Mailchimp**
support for Mailchimp automation, SDK and modules
* CSP usage for **Google Analytics**
support for basic conversion domains such
as: stats.g.doubleclick.net and www.google.com
* CSP usage for **Google Fonts**
you’re not loading it on the page, chances are
one of your SDKs is using it
* Using CSP for **Facebook**
support Facebook SDK functionality
* Using CSP for **Stripe**
highly secure online payment system
* Using CSP for **New Relic**
it’s a registration and monitoring utility
* Using CSP for **Linkedin Tags + SDKs**
support Linkedin Insight, Linkedin Ads
and SDK
* Using CSP for **OneTrust**
OneTrust support helps companies manage privacy requirements
* CSP usage for **Moat**
Moat support to measurement suite such as: ad verification,
brand safety, advertising and coverage
* CSP usage for **jQuery**
support of jQuery – JS library
* CSP usage for **Twitter Widgets & SDKs**
support Connect, Widgets and the Twitter
client-side SDK
* Using CSP for **Google Maps**
support Google Maps as The ggpht used by streetview
* Using CSP for **Quantcast Choice**
Quantcast support for privacy such as GDPR
and CCPA
* CSP usage for **Twitter Ads & Analytics**
Twitter support for advertising and
Analytics
* Using CSP for **Paypal**
PayPal support for online payment system
* Using CSP for **Drift**
Drift and Driftt support
* CSP usage for **Cookiebot**
cookie and tracker support, GDPR/ePrivacy and CCPA
compliance
* CSP usage for **Vimeo Embedded Videos SDK**
support frames, JS SDK, Froogaloop
integration
* Using CSP for **AppNexus (now Xandr)**
AppNexus support for custom retargeting
* Using CSP for **Mixpanel**
support analytics tool with SDK/JS to collect client-
side data
* Using CSP for **Font Awesome**
toolkit support for fonts and icons over CSS
and Less
* Using CSP for **Google reCAPTCHA**
reCAPTCHA support for fraud and bot protection
* CSP usage for **Bootstrap** CDN
Bootstrap support for CSS frameworks
* Using CSP for **HubSpot**
Hubspot support with many features, used for monitoring
and mkt functionality
* Using CSP for **Hotjar**
Hotjar tracker support for analytics and metrics
* Using CSP for **WP.com**
support for wp.com hosting
* Using CSP for **Akamai mPulse**
support for Akamai mPulse, for origin and perimeter
integrations
* CSP usage for **Cloudflare – Rocket-Loader & Mirage**
support for Mirage libraries
for performance acceleration
* Using CSP for **Cloudflare – CDN.js**
Cloudflare’s open CDN support with multiple
libraries
* Using CSP for **jsDelivr**
support jsDelivr free CDN for Open Source
**Headers Security Advanced & HSTS WP** is based on the OWASP CSRF standard to protect
your wordpress site. Using the OWASP CSRF standard, once the plugin is installed,
you can customize CSP rules for full CSRF mitigation. The site will be secure despite
having other vulnerable plugins (CSRF).
**Integration with Sentry, Report URI, URIports and Datadog**
Sentry is a well-
known platform for monitoring and tracking errors in applications. By integrating
Sentry with our plugin, users can: * Receive detailed reports on content security
policy (CSP) violations. * Monitor and analyze JavaScript exceptions occurring on
their site. * Benefit from advanced tools for proactive troubleshooting.
Monitoring and Integration with Sentry, Datadog and URI Reports for optimal security.
#### Free Forever
Every security header, every configuration option, and every protection this plugin
offers today will remain completely free. No features will ever be moved behind
a paywall. Shield is a separate set of brand-new monitoring tools built on top.
The free plugin gets better because Shield exists, not worse.
Even though **FLoC** is still fairly new and not yet widely supported, as programmers
we think that privacy protection elements are important, so we choose to give you
the feature of being opt out of FLoC! We’ve created a special **“automatic blocking
of FLoC”** feature, trying to always **offer the best tool with privacy protection
and cyber security** as main targets and focus.
Analyze your site before and after using _Headers Security Advanced & HSTS WP_ security
headers are self-configured according to HTTP Security Headers and HTTP Strict Transport
Security / HSTS best practices.
* Check HTTP Security Headers on [securityheaders.com](https://securityheaders.com/)
* Check HTTP Strict Transport Security / HSTS at [hstspreload.org](https://hstspreload.org/)
* Check WebPageTest at [webpagetest.org](https://www.webpagetest.org/)
* Check HSTS test website [gf.dev/hsts-test](https://gf.dev/hsts-test/)
* Check CSP test website [csper.io/evaluator](https://csper.io/evaluator)
* Check CSP Evaluator [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com/)
* CSP Content Security Policy Generator [addons.mozilla.org](https://addons.mozilla.org/en-US/firefox/addon/content-security-policy-gen/)
This plugin is updated periodically, our limited support is free, we are available
for your feedback (bugs, compatibility issues or recommendations for next updates).
We are usually fast :-D.
#### Shield — Advanced Features (Optional)
Every feature this plugin offers today is and will remain completely free, forever.**
Shield** is a separate set of brand-new advanced tools for professionals who need
deeper monitoring and automation:
* **Security Advisor** — Analyzes your configuration and gives personalized recommendations
in plain language
* **CSP Guide** — Recommended tools, safe workflow, WordPress-specific CSP snippets,
and CSP FAQ
* **Security Score Dashboard** — Real-time A+ to F grade with header status for
all 10 security headers
* **Email & Webhook Alerts** — Get notified via email, Slack, Discord, Microsoft
Teams, or custom webhook when something changes
* **CSP Violation Analytics** — See which resources browsers are blocking and why
* **Weekly Automated Scans** — Automatic security audit with scan history and trend
tracking
Nothing existing moves behind a paywall. Revenue from Shield directly funds free
updates and maintenance for all 100,000+ users. Learn more at [openheaders.org/pro](https://openheaders.org/pro).
## Screenshots
* [[
* Check HTTP Security Headers (AFTER)
* [[
* Check HTTP Security Headers (BEFORE)
* [[
* Check HTTP Strict Transport Security / HSTS (list)
* [[
* Check WebPageTest (AFTER)
* [[
* Check WebPageTest (BEFORE)
* [[
* Setting on single site installation
* [[
* Check HTTP Security Headers – Serpworx (AFTER)
* [[
* Check HTTP Security Headers – Serpworx (BEFORE)
* [[
* Site-wide security setting
## Installacion
#### ITALIAN
1. Vai in Plugin ‘Aggiungi nuovo’.
2. Cerca Headers Security Advanced & HSTS WP.
3. Cerca questo plugin, scaricalo e attivalo.
4. Vai in ‘impostazioni’ > ‘Headers Security Advanced & HSTS WP’. Per personalizzare
le intestazioni.
5. Puoi cambiare questa opzione quando vuoi, Headers Security Advanced & HSTS WP viene
impostato in automatico.
#### ENGLISH
1. Go to Plugins ‘Add New’.
2. Search for Headers Security Advanced & HSTS WP.
3. Search for this plugin, download and activate it.
4. Go to ‘settings’ > ‘Headers Security Advanced & HSTS WP’. To customize headers.
5. You can change this option whenever you want, Headers Security Advanced & HSTS
WP is set automatically.
#### FRANÇAIS
1. Allez dans Plugins ‘Add new’.
2. Recherchez Headers Security Advanced & HSTS WP.
3. Recherchez ce plugin, téléchargez-le et activez-le.
4. Allez dans ‘settings’ > ‘Headers Security Advanced & HSTS WP’. Pour personnaliser
les en-têtes
5. Vous pouvez modifier cette option quand vous le souhaitez, Headers Security Advanced&
HSTS WP est réglé automatiquement.
#### SPANISH
1. Ve a Plugins > Añadir nuevo.
2. Busca Headers Security Advanced & HSTS WP.
3. Busca este plugin, descárgalo y actívalo.
4. Ve a Ajustes > Headers Security Advanced & HSTS WP para personalizar los encabezados.
5. Puedes cambiar esta opción cuando desees, Headers Security Advanced & HSTS WP se
configura automáticamente.
#### DEUTSCH
1. Gehen Sie zu Plugins ‘Neu hinzufügen’.
2. Suchen Sie nach Headers Security Advanced & HSTS WP.
3. Suchen Sie nach diesem Plugin, laden Sie es herunter und aktivieren Sie es.
4. Gehen Sie zu « Einstellungen » > « Kopfzeilen Sicherheit Erweitert & HSTS WP ».
So passen Sie die Kopfzeilen an
5. Sie können diese Option jederzeit ändern, Headers Security Advanced & HSTS WP wird
automatisch eingestellt.
#### PORTUGUESE
1. Vá para Plugins > Adicionar novo.
2. Procure por Headers Security Advanced & HSTS WP.
3. Procure por este plugin, baixe-o e ative-o.
4. Vá para Configurações > Headers Security Advanced & HSTS WP para personalizar os
cabeçalhos.
5. Você pode alterar esta opção sempre que desejar, Headers Security Advanced & HSTS
WP é configurado automaticamente.
#### SWEDISH
1. Gå till Plugins > Lägg till nytt.
2. Sök efter Headers Security Advanced & HSTS WP.
3. Sök efter denna plugin, ladda ner och aktivera den.
4. Gå till Inställningar > Headers Security Advanced & HSTS WP för att anpassa rubrikerna.
5. Du kan ändra detta alternativ när du vill, Headers Security Advanced & HSTS WP
är inställt automatiskt.
## FAQ
### Will this plugin slow down my site?
No. Headers add less than 1KB to each response. The plugin uses WordPress native
hooks and Apache .htaccess. Zero database queries at page load for visitors.
### Does it work with Nginx or LiteSpeed?
Yes. The PHP method (wp_headers filter) works on any server. The .htaccess method
is Apache-only, but the plugin automatically uses the PHP method on other servers.
### Does it work with caching plugins?
Yes. Compatible with WP Super Cache, W3 Total Cache, LiteSpeed Cache, WP Rocket,
and others.
### Does it work with Cloudflare?
Yes. Cloudflare passes through headers set by WordPress. If you also set headers
in Cloudflare dashboard, use the « Resolve duplicate headers » option in Settings
to avoid duplicates.
### How do I get an A+ grade on SecurityHeaders.com?
Your site needs all 6 scored headers present: Content-Security-Policy, Strict-Transport-
Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-
Policy. The plugin configures all of these automatically.
### Can it conflict with other security plugins?
Rarely. If another plugin sets the same headers, you may get duplicates. Use the«
Resolve duplicate headers » checkboxes in Settings to fix this.
### What is HSTS?
HTTP Strict Transport Security tells browsers to always use HTTPS. Even if someone
types http://, the browser upgrades to https:// automatically. Prevents protocol
downgrade attacks.
### What max-age should I use for HSTS?
Minimum for preload: 31536000 (1 year). Recommended: 63072000 (2 years). Start with
86400 (1 day) to test, then increase.
### Should I enable HSTS Preload?
Only if your entire domain (including all subdomains) works over HTTPS. Preload
is hardcoded in browsers and difficult to undo. Removal takes months. Test thoroughly
first.
### What is Content Security Policy (CSP)?
CSP tells browsers which resources can load on your page. Anything not explicitly
allowed is blocked. It is the strongest protection against XSS attacks.
### How do I configure CSP Report URI?
Enter the report URL from your monitoring service (Sentry, Report URI, URIports,
or Datadog) into the CSP Report URI field in Settings. The plugin adds the report-
uri directive to your CSP header automatically.
### Content Security Policy — Best Practices
When writing CSP directives:
* Always use single quotes for keywords: ‘self’, ‘none’, ‘unsafe-inline’, ‘unsafe-
eval’
* Never use double quotes inside CSP syntax
* Avoid smart quotes (curly quotes) — the plugin converts them automatically but
standard quotes are recommended
* The plugin validates and sanitizes CSP input to prevent .htaccess errors
### What happens when Shield license expires?
Your site stays fully protected. All headers keep working. You lose Shield features(
dashboard, advisor, alerts, analytics) and revert to the free version. Nothing breaks.
### Can I report a bug or request a feature?
You can report bugs or request new features right [support@openheaders[dot]org](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/support@openheaders.org?output_format=md)
### What will Report URI monitor for me?
Report URI will monitor content security policy (CSP) violations and provide detailed
reports on detected violations.
### What will Datadog monitor for me?
Datadog will monitor content security policy (CSP) violations and other security
and performance metrics of your site.
### Where can I find my Datadog API Key?
You can find your Datadog API Key in the « API Keys » section under « Integrations»
in the Datadog control panel. Once the plug-in is activated it performs a test (
before and after): [Manage CSP reporting with Datadog](https://www.datadoghq.com/blog/content-security-policy-reporting-with-datadog/#csp-reporting-with-datadog)
### What will Sentry monitor for me?
Sentry will monitor and log content security policy (CSP) violations and other JavaScript
exceptions that occur on your site.
### How can I configure Sentry integration with the plugin?
1. Log in to your Sentry dashboard.
2. Click on the « Projects » menu item.
3. Select the project you have created.
4. Click on the gear icon to open project settings.
5. In the project settings, go to the « SDK SETUP » section.
6. Click on « Security Headers ».
7. Copy the automatically generated « REPORT URI » URL and paste it into the « CSP
Report URI » field in the plugin settings. Example Sentry Report URI (e.g., `https://
.sentry.io/api//security/?sentry_key=`).
8. The plugin will initialize Sentry and send CSP reports to Sentry.
[Manage CSP reporting with Sentry](https://docs.sentry.io/security-legal-pii/security/security-policy-reporting/)
### How can I configure URIports integration with the plugin?
1. Log in to your Sentry dashboard.
2. Click on the « User Icon » at the top right of your screen.
3. Click « Settings ».
4. Add the domains you want to monitor to the « Monitored Domains » section on the
settings page.
5. Click on « Security Headers ».
6. Copy the automatically generated « URIports » URL and paste it into the « CSP Report
URI » field in the plugin settings. Example URIports Report URI (e.g., `https://
account-subdomain.uriports.com/reports`).
7. The plugin will initialize URIports and send CSP reports to URIports.
[Manage CSP reporting with URIports](https://www.uriports.com/getting-started-with-website-monitoring)
### Why did you choose to integrate with Sentry, URIports, Datadog, and Report URI?
I chose Sentry, URIports, Datadog, and Report URI for integration with this plugin
because they are highly reputable and functional platforms in the field of security
monitoring. Here’s a brief overview of each:
**Sentry**
Sentry is a well-known platform for monitoring and tracking errors and exceptions
in applications. It provides comprehensive tools for logging and analyzing JavaScript
errors, making it an excellent choice for monitoring Content Security Policy (CSP)
violations. By integrating with Sentry, users can benefit from detailed error reports
and proactive issue resolution.
**Datadog**
Datadog is a powerful platform for monitoring infrastructure, applications, and
logs. It offers extensive capabilities for tracking security and performance metrics,
including CSP violations. The integration with Datadog allows users to gain insights
into the health and security of their websites, providing real-time monitoring and
alerting features that are essential for maintaining a secure and performant environment.
**Report URI**
Report URI is a dedicated service for collecting and analyzing security violation
reports, including CSP, HPKP, and other security headers. It is designed specifically
to handle large volumes of security reports and provide detailed analytics and visualizations.
By using Report URI, users can easily monitor and analyze CSP violations, helping
them to quickly identify and mitigate potential security threats.
Each of these platforms offers unique strengths and capabilities, making them ideal
choices for comprehensive security monitoring and reporting. By integrating with
these well-established services, we aim to provide users with reliable and effective
tools to enhance the security of their WordPress websites.
**URIports**
URIports is a well-known platform for monitoring and tracking errors and exceptions
in applications. It provides comprehensive tools for logging and analyzing JavaScript
errors, making it an excellent choice for monitoring Content Security Policy (CSP)
violations. By integrating with URIports, users can benefit from detailed error
reports and proactive issue resolution.
### Can I view CSP reports directly in Sentry?
Yes, all CSP reports will be sent to Sentry, where you can view and analyze them
in the Sentry control panel.
### How do you get an A+ grade?
To earn an A+ grade, your site must issue all HTTP response headers that we check.
This indicates a high level of commitment to improving the security of your visitors.
### What headers are recommended?
Over an HTTP connection we get Content-Security-Policy, X-Content-Type-Options,
X-Frame-Options and X-XSS-Protection. Via an HTTPS connection, 2 additional headers
are checked for presence which are Strict-Transport-Security and Public-Key-Pins.
* Once the plug-in is activated it performs a test (before and after): [https://securityheaders.com/](https://securityheaders.com/)
### Can the plugin create slowdowns?
No, Headers Security Advanced & HSTS WP is Fast, Secure and does not affect the
SEO and speed of your website.
### Content Security Policy (CSP) – Best Practices
When writing your CSP directives in the plugin settings, please follow these rules
to avoid invalid configurations:
**1. Always use single quotes `'` for CSP keywords**
CSP keywords must always use straight ASCII single quotes:
* ‘self’
* ‘none’
* ‘unsafe-inline’
* ‘unsafe-eval’
* ‘strict-dynamic’
These are required by the CSP specification.
**2. Never use double quotes `"` inside the CSP**
Double quotes are used only _outside_ the policy (for example by Apache when setting
headers), not inside the CSP syntax.
Using double quotes inside the policy may
break the .htaccess configuration.
**3. Do not use “smart quotes” or curly quotes (‘ ’ “ ”)**
Smart quotes often appear when copying text from Word, Google Docs, PDFs, email
clients, or mobile keyboards. These characters are invalid in CSP and may cause
the browser to reject the policy or Apache to return HTTP 500 errors.
The plugin automatically converts smart quotes to standard quotes, but it is recommended
to avoid them when writing your policy.
**5. What happens if a user enters an invalid CSP?**
Starting from version 5.2.4, the plugin automatically:
– Normalizes curly quotes
to ASCII quotes – Replaces invalid double quotes inside the CSP – Prevents malformed
CSP syntax from breaking .htaccess – Falls back to the built-in default CSP if the
input is clearly invalid
This ensures that even incorrect CSP input will not cause the site to crash.
### What is HSTS (Strict Transport Security)?
It was created as a solution to force the browser to use secure connections when
a site is running on HTTPS. It is a security header that is added to the web server
and reflected in the response header as Strict-Transport-Security. HSTS is important
because it addresses the following anomalies:
### Check before and after using Preload HSTS
This step is important to submit your website and/or domain to an approved HSTS
list. Google officially compiles this list and it is used by Chrome, Firefox, Opera,
Safari, IE11 and Edge. You can forward your site to the official HSTS preload directory.(‘
https://hstspreload.org/’)
### how to use HTTP Strict Transport Security (HSTS)
If you want to use Preload HSTS for your site, there are a few requirements before
you can activate it.
* Have a valid SSL certificate. You can’t do any of this anyway without it.
* You must redirect all HTTP traffic to HTTPS (recommended via permanent 301 redirects).
This means that your site should be HTTPS only.
* You need to serve all subdomains in HTTPS as well. If you have subdomains, you
will need an SSL certificate.
The HSTS header on your base domain (for example: example.com) is already configured
you just need to activate the plug-in.
If you want to check the HSTS status of your site, you can do so here: [https://hstspreload.org/](https://hstspreload.org/)
### Disable FLoC, Google’s advertising technology
FLoC is a mega tracker that monitors user activity on all sites, stores the information
in the browser, and then uses machine learning to place users into cohorts with
similar interests. This way, advertisers can target groups of people with similar
interests. Plus, according to Google’s own testing, FLoC achieves at least 95% more
conversions than cookies.
### Who is disabling FLoC by Google?
Scott Helme reported that as of May 3, already 967 of the first 1 million domains
had disabled FLoC’s interest-cohort in their Permissions-Policy header. That list
included some big sites like The Guardian and IKEA.
### Do you use CloudFlare and the Headers Security Advanced & HSTS WP plugin?
Are you experiencing any anomalies after a plugin update? If yes, please follow
these instructions: clear the cache directly to the CloudFlare Client Area
* Log in to your Cloudflare dashboard, and select your account and domain.
* Select Caching > Configuration.
* Under Cache Purge, select Custom Purge. The custom purge window will be displayed.
* Under Purge by, select URL.
* Enter the appropriate values in the text field using the format shown in the
example.
* Run through the additional instructions to complete the form.
* Review the data entered.
* Click Delete.
This will cause the [cloudFlare](https://developers.cloudflare.com/cache/how-to/purge-cache/)
## Reviews
### [Adds too much and slows the pageload](https://wordpress.org/support/topic/adds-too-much-and-slows-the-pageload/)
[mesmer7](https://profiles.wordpress.org/mesmer7/) 14 abril 2026
Adds a lot of unnecessary headers that accomplish nothing. And it seems to slow
page load. You’re better off manually editing the htaccess file with just a few
absolutely necessary headers.
### [Fantastic!](https://wordpress.org/support/topic/fantastic-3478/)
[Ben](https://profiles.wordpress.org/benjaminloeffel/) 9 genièr 2026
Fantastic Plugin!
### [Awesome](https://wordpress.org/support/topic/awesome-10601/)
[ElsBer](https://profiles.wordpress.org/ebedo/) 28 novembre 2025
I already loved the plugin! But the help I received from Andrea Ferro when a problem
arose was also fantastic. Fantastic!Thanks
### [Great plugin and support](https://wordpress.org/support/topic/great-plugin-and-support-1896/)
[Fantou](https://profiles.wordpress.org/fantou/) 28 novembre 2025
A very usefull and efficient plugin which bring important security to websites by
just installing it !I have some questions and the support was very friendly and
quick to answer. Thanks for your great plugin and your kindness !
### [Great plugin and even better developer!](https://wordpress.org/support/topic/great-plugin-and-even-better-developer/)
[boxhamster](https://profiles.wordpress.org/boxhamster/) 25 novembre 2025
5 stars for this plugin. It’s well done and Andrea is super helpful and fast with
questions! Highly recommended. Thank you.
### [Great plugin, a must have](https://wordpress.org/support/topic/great-plugin-a-must-have-14/)
[pikapower](https://profiles.wordpress.org/pikapower/) 19 novembre 2025
I was tired of changing htaccess every time and still didn’t get a good score for
my security header. At last I found this plugin and it works great! Also the support
from Andrea is phenomenal! Thanks for your help and this plugin!
[ Read all 78 reviews ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)
## Contributors & Developers
“Headers Security Advanced & HSTS WP” is open source software. The following people
have contributed to this plugin.
Contributors
* [ Andrea Ferro ](https://profiles.wordpress.org/unicorn03/)
* [ Alex Lion (阿力獅) ](https://profiles.wordpress.org/alexclassroom/)
“Headers Security Advanced & HSTS WP” has been translated into 9 locales. Thank
you to [the translators](https://translate.wordpress.org/projects/wp-plugins/headers-security-advanced-hsts-wp/contributors)
for their contributions.
[Translate “Headers Security Advanced & HSTS WP” into your language.](https://translate.wordpress.org/projects/wp-plugins/headers-security-advanced-hsts-wp)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/headers-security-advanced-hsts-wp/),
check out the [SVN repository](https://plugins.svn.wordpress.org/headers-security-advanced-hsts-wp/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/headers-security-advanced-hsts-wp/)
by [RSS](https://plugins.trac.wordpress.org/log/headers-security-advanced-hsts-wp/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 5.3.2
This update introduces **Shield** — optional advanced tools for professionals who
need deeper security monitoring. Every existing feature remains completely free,
forever.
* New: Shield tab-based interface (Settings, Dashboard, CSP, Notifications, Export/
Import, License, Free vs Shield, FAQ)
* New: Security Advisor with personalized recommendations
* New: Security Score Dashboard (A+ to F grading, 10 header status overview)
* New: CSP Guide with recommended tools (Csper.io, Google CSP Evaluator, Report
URI, URIports)
* New: CSP violation analytics (top blocked domains, directives, trends)
* New: Email alerts when security score drops or headers change
* New: Webhook notifications (Slack, Discord, Microsoft Teams, custom JSON endpoint)
* New: Export/Import settings for agencies managing multiple sites
* New: Weekly automated scans with history tracking
* New: Comprehensive FAQ with search and category filters
* New: Free vs Shield comparison with transparent pricing
* Improved: Clean uninstall (license auto-deactivated, all options removed)
#### 5.2.5
I don’t want to tell you what to do, but here’s the thing: When you update the Headers
Security Advanced & HSTS WP plugin, you don’t just click a button, you enter a world
of enhanced security and performance.
With version 5.2.5, I have gone above and beyond to ensure that your experience
is nothing short of exceptional. I have eliminated numerous bugs, improved annoying
pixels, and updated the graphics in a sleek and modern way. The result? A plugin
that not only looks great, but works even better.
But that’s not all. This update brings seamless integration with the industry’s
leading security monitoring platforms-Sentry, Datadog, and Report URI. These integrations
offer enhanced reporting capabilities, providing detailed information on content
security policy (CSP) violations and improving site security.
* Update: Code optimization for better compatibility with WordPress version 6.9.
* Fixed: Improved compatibility with WordPress 6.9 plugin list rendering
* Fixed: Resolved edge case where plugin list could stop rendering when other plugins
return unexpected values from the `plugin_action_links` filter
* Hardened: Added defensive type checking for better interoperability with third-
party plugins
By updating to 5.2.5, you’re not just improving your site’s security – you’re optimizing
it with the best tools available. Our goal is to provide you with the most beautiful,
fastest, and most impressive plugin experience around. So, shall we get started?
Hit « update » and step into a new era of security and performance with Headers
Security Advanced & HSTS WP. Enjoy the upgrade!
## Mèta
* Version **5.3.2**
* Last updated **1 mes ago**
* Active installations **90 000+**
* WordPress version ** 4.7 or higher **
* Tested up to **6.9.4**
* PHP version ** 7.4 or higher **
* Languages
* [Bengali (Bangladesh)](https://bn.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Dutch](https://nl.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[English (US)](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[French (France)](https://fr.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Italian](https://it.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Japanese](https://ja.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Portuguese (Brazil)](https://br.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Russian](https://ru.wordpress.org/plugins/headers-security-advanced-hsts-wp/),
[Spanish (Chile)](https://cl.wordpress.org/plugins/headers-security-advanced-hsts-wp/)
e .[Spanish (Spain)](https://es.wordpress.org/plugins/headers-security-advanced-hsts-wp/).
* [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/headers-security-advanced-hsts-wp)
* Tags
* [clickjacking](https://oci.wordpress.org/plugins/tags/clickjacking/)[csp](https://oci.wordpress.org/plugins/tags/csp/)
[headers](https://oci.wordpress.org/plugins/tags/headers/)[headers security](https://oci.wordpress.org/plugins/tags/headers-security/)
[hsts](https://oci.wordpress.org/plugins/tags/hsts/)
* [Advanced View](https://oci.wordpress.org/plugins/headers-security-advanced-hsts-wp/advanced/)
## Ratings
4.9 out of 5 stars.
* [ 72 5-star reviews ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/?filter=5)
* [ 3 4-star reviews ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/?filter=4)
* [ 1 3-star review ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/?filter=3)
* [ 2 2-star reviews ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/?filter=2)
* [ 0 1-star reviews ](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)
## Contributors
* [ Andrea Ferro ](https://profiles.wordpress.org/unicorn03/)
* [ Alex Lion (阿力獅) ](https://profiles.wordpress.org/alexclassroom/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
## Far un don
Would you like to support the advancement of this plugin?
[ Donate to this plugin ](https://www.buymeacoffee.com/tentacleplugins)