=== HeaderShield === Contributors: vishwaliyanarachchi, vishvega, sbvi1122 Tags: security, headers, hsts, csp, hardening Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.0.14 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Donate link: https://wordpress.org/support/plugin/headershield/ Add safe, modern HTTP security headers with optional strict cross-origin protections and a simple admin UI. == Description == HeaderShield adds a conservative set of security headers that improve browser protection without breaking most sites. It also provides optional strict cross-origin protections for sites that are ready for them. Default headers include: * X-Frame-Options * X-Content-Type-Options * X-XSS-Protection (legacy) * Referrer-Policy * Permissions-Policy * Content-Security-Policy (upgrade-insecure-requests) * Strict-Transport-Security (HTTPS only) Strict Mode can additionally enable COEP, COOP, and CORP for stronger isolation, but may break third‑party scripts or embeds. Use with care and test on staging first. = Source code for third-party assets = The admin UI uses SlimSelect for the multi-select dropdown. Human-readable source is included in the plugin: * JavaScript: `assets/js/slimselect.js` (minified build: `assets/js/slimselect.min.js`) * CSS: `assets/css/slimselect.css` (minified build: `assets/css/slimselect.min.css`) Upstream project: https://github.com/brianvoe/slim-select (MIT). This plugin does not use a custom build process; the included files are from the published release. == Installation == 1. Upload the `headershield` plugin folder to `/wp-content/plugins/`, or install via **Plugins → Add New** and search for HeaderShield. 2. Activate the plugin through the **Plugins** menu in WordPress. 3. Go to **Security Headers** in the admin sidebar to configure settings. = Optional: use as must-use plugin = You can also copy the main plugin file into `/wp-content/mu-plugins/` so it is always active and cannot be disabled from the Plugins screen. == Frequently Asked Questions == = Will this break my site? = The default headers are conservative and should be safe for most sites. Strict Mode may break embeds, analytics, fonts, or CDNs, so test on staging first. = Does this affect SEO? = No. These headers improve browser security and do not affect SEO. == Screenshots == 1. Settings page. 2. User guide page. == Upgrade Notice == = 1.0.14 = Initial public release. Adds security headers with an admin UI and optional strict cross-origin protections. == Changelog == = 1.0.14 = * Initial public release.