HTTP Security Headers Explained
HTTP security headers are instructions your server sends to browsers, telling them how to behave when displaying your site. They protect against clickjacking, MIME attacks, and more.
Why Security Headers Matter
Most hosting environments and WordPress setups do not send any security headers by default. This leaves your visitors exposed to a range of client-side attacks. Security headers are a one-time configuration that provides ongoing protection with zero performance cost.
X-Frame-Options: Prevent Clickjacking
Clickjacking loads your site inside an invisible iframe on an attacker's page. When visitors think they are clicking your site, they are actually clicking the attacker's hidden elements.
- SAMEORIGIN (recommended) — your site can only be framed by pages on the same domain.
- DENY — your site cannot be framed anywhere, ever.
X-Content-Type-Options: Stop MIME Sniffing
Setting this to "nosniff" tells browsers not to try guessing the content type of a response. Without it, a browser might execute a JavaScript file disguised as an image. One line, no downsides.
Referrer-Policy: Control Information Leakage
"strict-origin-when-cross-origin" (recommended) sends your full URL as referrer for same-site links, but only the origin (https://yoursite.com) for links to other sites. This prevents leaking admin paths, query strings, or user session data to third parties.
Permissions-Policy: Lock Down Browser Features
Disables camera, microphone, geolocation, payment, and USB access for your site and any content it embeds. If your site does not use these features, blocking them removes entire classes of potential attack.
Strict-Transport-Security (HSTS): Force HTTPS
HSTS tells browsers that your site must always be accessed over HTTPS and to refuse any HTTP connection. Once a browser has seen this header, it will never try HTTP again for your site for the duration of max-age (default: 1 year).
Only enable HSTS if your site already has a valid SSL certificate installed and HTTPS working correctly. Enabling HSTS on an HTTP site will make it permanently inaccessible in that browser.
How to Enable Security Headers
- Navigate to Tools → WP 1 Click LockDown.
- Scroll to the "HTTP Security Headers" section (Single Site plan or above).
- Check "Enable HTTP Security Headers".
- Configure each header to your preference or leave all at recommended defaults.
- Click Save All Settings.
Was this article helpful?
Need more help? Contact our support team →