Title: HTTP Headers Author: Dimitar Ivanov Published: 10 de Mayo de 2016 Last modified: 22 de Diciembre de 2024 --- Buscar plugins ![](https://ps.w.org/http-headers/assets/banner-772x250.jpg?rev=1413577) ![](https://ps.w.org/http-headers/assets/icon-128x128.png?rev=1413576) # HTTP Headers Por [Dimitar Ivanov](https://profiles.wordpress.org/zinoui/) [Descargar](https://downloads.wordpress.org/plugin/http-headers.1.19.2.zip) * [Detalles](https://cl.wordpress.org/plugins/http-headers/#description) * [Reseñas](https://cl.wordpress.org/plugins/http-headers/#reviews) * [Instalación](https://cl.wordpress.org/plugins/http-headers/#installation) * [Desarrollo](https://cl.wordpress.org/plugins/http-headers/#developers) [Soporte](https://wordpress.org/support/plugin/http-headers/) ## Descripción HTTP Headers te da el control sobre las cabeceras http devueltas por tu blog o sitio web. Las cabeceras admitidas por HTTP Headers incluyen: * Access-Control-Allow-Origin * Access-Control-Allow-Credentials * Access-Control-Max-Age * Access-Control-Allow-Methods * Access-Control-Allow-Headers * Access-Control-Expose-Headers * Age * Content-Security-Policy * Content-Security-Policy-Report-Only * Cache-Control * Clear-Site-Data * Connection * Content-Encoding * Content-Type * Cross-Origin-Embedder-Policy * Cross-Origin-Opener-Policy * Cross-Origin-Resource-Policy * Expect-CT * Expires * Feature-Policy * NEL * Permissions-Policy * Pragma * P3P * Referrer-Policy * Report-To * Strict-Transport-Security * Timing-Allow-Origin * Vary * WWW-Authenticate * X-Content-Type-Options * X-DNS-Prefetch-Control * X-Download-Options * X-Frame-Options * X-Permitted-Cross-Domain-Policies * X-Powered-By * X-Robots-Tag * X-UA-Compatible * X-XSS-Protection ## Capturas de pantalla * [[ * Esta captura de pantalla muestra el escritorio con las categorías de las cabeceras admitidas. * [[ * Esta captura de pantalla muestra las cabeceras de una categoría elegida y sus valores actuales. * [[ * Esta captura de pantalla muestra la página de ajustes donde puedes ajustar las cabeceras de seguridad. * [[ * Esta captura de pantalla muestra las cabeceras de respuesta devueltas por el servidor web. ## Instalación Sube el plugin HTTP Headers a tu blog. A continuación, actívalo. Esto es todo. ## FAQ ### ¿Por qué usar este plugin? Hoy en día la seguridad de tus datos sociales en la web es esencial. Este plugin te ayuda a mejorar la seguridad general de tu sitio web. ### ¿Quién usa estas cabeceras? Estas cabeceras HTTP están siendo utilizadas en servicios de producción paor sitios web populares como Facebook, Google+, Twitter, LinkedIn, YouTube, Yahoo, Amazon, Instagram, Pinterest. ## Reseñas ![](https://secure.gravatar.com/avatar/d2e38bfa35eaad34aee063c1bee978a75a5572a852919a33cf15d039c29e630d? s=60&d=retro&r=g) ### 󠀁[Make Main and sub-domain site down](https://wordpress.org/support/topic/make-main-and-sub-domain-site-down/)󠁿 [ysc711](https://profiles.wordpress.org/ysc711/) 30 de Agosto de 2025 2 respuestas Never use this plugin as the security settings make my main site and all sub-domain sites down and even after uninstallation / removal of everything and start to install a new WP, it doesn’t work anymore ![](https://secure.gravatar.com/avatar/675061a1b2be135a48abee930a5f2718a446761e21fc62cd647e8bfd305074e1? s=60&d=retro&r=g) ### 󠀁[worked exactly as promised except 2](https://wordpress.org/support/topic/worked-exactly-as-promised-except-2/)󠁿 [fairshareitservices](https://profiles.wordpress.org/fairshareitservices/) 29 de Abril de 2025 worked exactly as promised except 2 ![](https://secure.gravatar.com/avatar/094e17e75b5f0e6430ecbf453f178d08574c3290f5dd2904e4d4bb3d00514b1b? s=60&d=retro&r=g) ### 󠀁[Easy to use and almost perfect](https://wordpress.org/support/topic/easy-to-use-and-almost-perfect/)󠁿 [sunb1](https://profiles.wordpress.org/sunb1/) 30 de Marzo de 2025 Went through a bunch of options of adding security headers to my sites and settled on this plugin. Would be 5 stars if two things get fixed/added. 1st is that it would be great to have a save button at the top also so you don’t have to scroll so much to the bottom to save options (especially on CSP screen). And the 2nd would be that the boxes where we are able to input sites etc, sometimes you have to paste numerous websites in that field and it is ridiculously annoying to try to scroll through, see whats already there or copy and paste outside in notepad for example and then paste it back in. Would be great if that field could be expanded or just bigger. ![](https://secure.gravatar.com/avatar/4fa6d6b6d3a53396f985106dfc0045eda4eb7290109a2c88dfc4bb1e4ef3aa9e? s=60&d=retro&r=g) ### 󠀁[Not compatible with Elementor](https://wordpress.org/support/topic/not-compatible-with-elementor-22/)󠁿 [RipRapRob](https://profiles.wordpress.org/ripraprob/) 23 de Septiembre de 2024 When used with Elementor, you can’t edit the pages. Had to uninstall, since I don’t know what else it will break. ![](https://secure.gravatar.com/avatar/ed27dcf5938081279e45b5d824c12db1e092e731a99cfcb298f9ec061721ede2? s=60&d=retro&r=g) ### 󠀁[effective plugin – save the x-content-type](https://wordpress.org/support/topic/effective-plugin-save-the-x-content-type/)󠁿 [swampscrapper](https://profiles.wordpress.org/swampscrapper/) 11 de Mayo de 2024 2 respuestas I am finding this a very effective tool to help clients reach security compliance. There is one glitch I believe, however, is with the x-content-type-options. Once you enable this the only option is “nosniff”. And once enabled, there is no way to reset it. And unfortunately i believe this setting is creating errors on my site. I can’t even seem to find the line for it in my .htaccess file. Any recommendations? ![](https://secure.gravatar.com/avatar/7036b084e47382919f1c36d26be5a085b0a6b13970380682c711ffcca327bb0e? s=60&d=retro&r=g) ### 󠀁[an exceptional plugin – needs updating](https://wordpress.org/support/topic/an-exceptional-plugin-needs-updating/)󠁿 [Jonathan Jewell](https://profiles.wordpress.org/hyperpolymath/) 30 de Abril de 2024 I have felt this has been excellent since the first time I used it, and absolutely no issues with it for what it is, except that there are a couple of headers that either need to be ‘marked deprecated’ or just removed. My immediate spot of these are the, Features header, P3P header and the Expect-CT (which is still around, but Mozilla recommend not using). There may be others. There are a bunch of things that I might suggest as improvements, but this is to move the tool forward a bit. For instance: It would be great if it could display the highlighted state of the current Apache/Nginx code and the status of the security (as per securityheaders.com form) alongside/under it, so you could see the evolution of the security header set up arrangements as you add/remove them. Could be useful to have some in-built documentation on these things (particularly with the P3P header, those little summary items were impossible to figure out without going back and forth, but for other things like cache-control, or accept-expose-headers, some labelling could help). That said, for advanced users anyway, so perhaps less important. Further to that, it might be useful to have an indication of what OWASP, Scott Helme, and Mozilla recommend and/or warnings for ones that are problematic for security or high risk with labels on them. There are a few things that have odd formatting, so it is not obvious how to transpose the information for the reporting one over from how the header is laid out, since there are different ones for this. In this you have the report header that is normally used (as per report-uri site from Scott Helme) but it does not fit there. However, it has a group called ‘csp-element’ or something similar that might be clearer as to its use elsewhere). There is also the display of custom headers that are all grouped into one thing, and not spread out in a useful way if you want to review them. Odd grouping in a couple of places, so custom headers I might have given its own block for instance, and to have two items in one and even one in one grouping is a bit pointless. On another note, it is a shame that there is not a tool that is so effective that does this kind of thing for Wordpress and just outputs the BIND9 detail for DNS resource records. A combination of this and that, with the ability to adjust PHP and Apache settings would be the most amazing tool ever. For what this does, however, is sets the foundations for a great security setup. [ Leer los 70 comentarios ](https://wordpress.org/support/plugin/http-headers/reviews/) ## Colaboradores & Desarrolladores “HTTP Headers” es software de código abierto. Las siguientes personas han contribuido a este plugin. Colaboradores * [ Dimitar Ivanov ](https://profiles.wordpress.org/zinoui/) “HTTP Headers” ha sido traducido en 5 idiomas. Gracias a [los traductores](https://translate.wordpress.org/projects/wp-plugins/http-headers/contributors) por sus contribuciones. [Traduce “HTTP Headers” a tu idioma.](https://translate.wordpress.org/projects/wp-plugins/http-headers) ### ¿Interesado en el desarrollo? [Revisa el código](https://plugins.trac.wordpress.org/browser/http-headers/), echa un vistazo al [repositorio SVN](https://plugins.svn.wordpress.org/http-headers/), o suscríbete al [registro de desarrollo](https://plugins.trac.wordpress.org/log/http-headers/) por [RSS](https://plugins.trac.wordpress.org/log/http-headers/?limit=100&mode=stop_on_copy&format=rss). ## Historial de cambios #### 1.19.2 _Release Date – 22nd December, 2024_ * Added “script-src-elem” directive to “Content-Security-Policy” header * Added “script-src-attr” directive to “Content-Security-Policy” header * Added “style-src-elem” directive to “Content-Security-Policy” header * Se agregó la directiva “style-src-attr” al encabezado “Content-Security-Policy” #### 1.19.1 _Release Date – 2nd September, 2023_ * Added “clientHints” directive to “Clear-Site-Data” header * Added “credentialless” directive to “Cross-Origin-Embedder-Policy” header #### 1.19.0 _Release Date – 7th July, 2023_ * Fixed: SSRF vulnerability by an Admin user * Fixed: XSS vulnerability by an Admin user #### 1.18.11 _Release Date – 11th June, 2023_ * Fixed: Remote Code Execution by an Admin user #### 1.18.10 _Release Date – 28th May, 2023_ * Fixed: Remote Code Execution by an Admin user * Removed: Import/Export functions #### 1.18.9 _Release Date – 23rd April, 2023_ * Fixed: Remote Code Execution by an Admin user #### 1.18.8 _Release Date – 17th April, 2023_ * Fixed: SQL Injection by an Admin user * Fixed: Remote Code Execution by an Admin user * Few PHP 8.x compatible fixes #### 1.18.7 _Release Date – 24th January, 2023_ * Fix CSP default value #### 1.18.6 _Release Date – 22nd January, 2023_ * PHP 8 compatibility changes #### 1.18.5 _Release Date – 30th April, 2021_ * Configurable paths to files who store passwords for basic/digest auth * Fixed issue with plugin activation, due missing file #### 1.18.4 _Release Date – 30th April, 2021_ * Initial value of X-Robots-Tag fixed #### 1.18.3 _Release Date – 30th April, 2021_ * Added “X-Robots-Tag” header * Added “interest-cohort”, “layout-animations”, “legacy-image-formats”, “oversized- images”, and “wake-lock” directive to “Permissions-Policy” header * Added “cross-origin” value to “Cross-Origin-Resource-Policy” header * Added “navigate-to” and “prefetch-src” directives to “Content-Security-Policy” header #### 1.18.2 _Release Date – 24th April, 2021_ * Configurable paths to .htaccess and .user.ini files #### 1.18.1 _Release Date – 29th October, 2020_ * Added “allow-downloads” and “allow-top-navigation-by-user-activation” to “sandbox” directive, part of CSP #### 1.18.0 _Release Date – 20th September, 2020_ * Added “Permissions-Policy” header * Fixed “Cookie Security” #### 1.17.0 _Release Date – 26th July, 2020_ * Added “Cross-Origin-Embedder-Policy” header * Added “Cross-Origin-Opener-Policy” header #### 1.16.1 _Release Date – 23rd July, 2020_ * Fixed JS/CSS versioning #### 1.16.0 _Release Date – 23rd July, 2020_ * Added the “NEL” header * Fixed the “Report-To” header #### 1.15.2 _Release Date – 18th June, 2020_ * Fixed a PHP Notice at “Expires” page * Fixed comments in .user.ini file #### 1.15.1 _Release Date – 9th May, 2020_ * Fixed the “Access-Control-Allow-Origin” header #### 1.15.0 _Release Date – 26th January, 2020_ * Added the “Cross-Origin-Resource-Policy” header * Removed the “Public-Key-Pins” header #### 1.14.2 _Release Date – 25th November, 2019_ * CORS headers updated (added “Vary: Origin”) #### 1.14.1 _Release Date – 15th September, 2019_ * Simple filtering was replaced with Dynamic filtering #### 1.14.0 _Release Date – 1st September, 2019_ * Added the “Content-Type” header * Fixed the “Access-Control-Allow-Credentials” header * Mejora del encabezado “Access-Control-Allow-Headers” * Improvement to “Access-Control-Allow-Methods” header * Improvement to “Access-Control-Expose-Headers” header * Improvement to “Cache-Control” header * Improvement to “Vary” header #### 1.13.4 _Release Date – 14th July, 2019_ * Added the “always” condition to Header (unset) directive * Fixed the “import” function * Fixed the “Access-Control-Allow-Origin” header #### 1.13.3 _Release Date – 16th June, 2019_ * Bugfix in “WWW-Authenticate” header * Added support of Apache 2.4 #### 1.13.2 _Release Date – 13th June, 2019_ * Bugfix in “Content-Encoding” header * Bugfix in “Vary” header #### 1.13.1 _Release Date – 8th June, 2019_ * Added Brotli compression #### 1.13.0 _Release Date – 7th June, 2019_ * Added “SameSite” to Cookie Security * Fixed import/export function * Code refactoring #### 1.12.2 _Release Date – 5th April, 2019_ * UI improvement for Content-Security-Policy * Fix for Access-Control-Allow-Headers * Fix for Access-Control-Allow-Origin * Fix for Feature-Policy #### 1.12.1 _Release Date – 9th January, 2019_ * Remove direct calls to cURL #### 1.12.0 _Release Date – 5th January, 2019_ * Better handling of activate/deactivate functions #### 1.11.0 _Release Date – 9th December, 2018_ * Added support of “Clear-Site-Data” header #### 1.10.5 _Release Date – 6th November, 2018_ * Hotfix: parallel work with third-party plugins #### 1.10.4 _Release Date – 30th September, 2018_ * Support of following Server APIs: CGI, FastCGI, PHP-FPM * Error handling improvement #### 1.10.3 _Release Date – 8th August, 2018_ * HSTS improvement * CORS improvement #### 1.10.2 _Release Date – 31st July, 2018_ * Export feature bug-fixed #### 1.10.1 _Release Date – 18th July, 2018_ * Feature-Policy header update: new features added #### 1.10.0 _Release Date – 17th July, 2018_ * Added support of “Feature-Policy” header #### 1.9.5 _Release Date – 12th July, 2018_ * CORS bugfix #### 1.9.4 _Release Date – 13th January, 2018_ * In-plugin security improvement #### 1.9.3 _Release Date – 10th January, 2018_ * Bug fix #### 1.9.2 _Release Date – 4th January, 2018_ * Security improvements #### 1.9.1 _Release Date – 27th December, 2017_ * Updated translations #### 1.9.0 _Release Date – 23th December, 2017_ * Added support of “Report-To” header * Added support of translations * Added support of Import/Export * Updated “Content-Security-Policy” header (added directives: object-src, frame- src, worker-src, manifest-src, base-uri, report-to) * Updated “WWW-Authenticate” header (support multiple users) * Updated “Access-Control” headers (added list of origins) #### 1.8.0 _Release Date – 31st August, 2017_ * Added support of “Timing-Allow-Origin” header * Added support of “X-Download-Options” header * Added support of “X-DNS-Prefetch-Control” header * Added support of “X-Permitted-Cross-Domain-Policies” header * Added support of Custom headers #### 1.7.1 _Release Date – 18th August, 2017_ * PHP notice bugfixed #### 1.7.0 _Release Date – 15th August, 2017_ * Added support of “Content-Security-Policy-Report-Only” header * Added support of “Public-Key-Pins-Report-Only” header * Added “1; report=” directive to the “X-XSS-Protection” header * Added “Inspect headers” tool * UI bugfixes #### 1.6.0 _Release Date – 5th August, 2017_ * Added support of “Expect-CT” header #### 1.5.0 _Release Date – 30th July, 2017_ * Se agregó soporte para el encabezado “Age” * Se agregó soporte para el encabezado “Cache-Control” * Added support of “Connection” header * Added support of “Content-Encoding” header * Added support of “Expires” header * Added support of “Pragma” header * Added support of “Vary” header * Added support of “WWW-Authenticate” header * Added support of “X-Powered-By” header * Added support of “Secure” and “HttpOnly” cookies #### 1.4.0 _Release Date – 5th July, 2017_ * Added support of Apache (via htaccess) inclusion method #### 1.3.0 _Release Date – 3rd June, 2017_ * Added support of Content-Security-Policy header * Added dashboard #### 1.2.0 _Release Date – 28th April, 2017_ * Added support of Referrer-Policy header #### 1.1.2 _Release Date – 13th February, 2017_ * Added support of ‘preload’ directive to HSTS header #### 1.1.1 _Release Date – 8th November, 2016_ * Fixed typo in the X-Frame-Options header #### 1.1.0 _Release Date – 20th May, 2016_ * Added support of P3P header #### 1.0.0 _Release Date – 10th May, 2016_ * Initial version ## Meta * Versión **1.19.2** * Última actualización **hace 1 año** * Instalaciones activas **50,000+** * Versión de WordPress ** 3.2 o superior ** * Probado hasta **6.7.5** * Versión de PHP ** 5.3 o superior ** * Idiomas * [English (US)](https://wordpress.org/plugins/http-headers/), [French (France)](https://fr.wordpress.org/plugins/http-headers/), [Russian](https://ru.wordpress.org/plugins/http-headers/), [Spanish (Chile)](https://cl.wordpress.org/plugins/http-headers/), [Spanish (Mexico)](https://es-mx.wordpress.org/plugins/http-headers/), y [Spanish (Spain)](https://es.wordpress.org/plugins/http-headers/). * [Traducir a tu idioma](https://translate.wordpress.org/projects/wp-plugins/http-headers) * Etiquetas * [http-headers](https://cl.wordpress.org/plugins/tags/http-headers/)[Security Headers](https://cl.wordpress.org/plugins/tags/security-headers/) * [Vista Avanzada](https://cl.wordpress.org/plugins/http-headers/advanced/) ## Calificaciones 4.3 de 5 estrellas. * [ 51 valoraciones de 5 estrellas ](https://wordpress.org/support/plugin/http-headers/reviews/?filter=5) * [ 5 valoraciones de 4 estrellas ](https://wordpress.org/support/plugin/http-headers/reviews/?filter=4) * [ 4 valoraciones de 3 estrellas ](https://wordpress.org/support/plugin/http-headers/reviews/?filter=3) * [ 5 valoraciones de 2 estrellas ](https://wordpress.org/support/plugin/http-headers/reviews/?filter=2) * [ 5 valoraciones de 1 estrellas ](https://wordpress.org/support/plugin/http-headers/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/http-headers/reviews/#new-post) [Ver todas las reseñas](https://wordpress.org/support/plugin/http-headers/reviews/) ## Colaboradores * [ Dimitar Ivanov ](https://profiles.wordpress.org/zinoui/) ## Soporte Problemas resueltos en los últimos dos meses: 0 de 2 [Ver el foro de soporte](https://wordpress.org/support/plugin/http-headers/) ## Donar ¿Te gustaría apoyar el avance de este plugin? [ Donar para este plugin ](https://paypal.me/Dimitar81)