Descripció
BoundaryGuard Headers enforces modern HTTP security headers to harden your WordPress site against XSS, clickjacking, mixed content, and cross-origin attacks.
Key Features:
- Essential Protection: Adds X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to reduce attack surface and prevent clickjacking.
- HSTS (Strict Transport Security): Forces HTTPS connections to help prevent protocol downgrade and man-in-the-middle attacks.
- Advanced Isolation (COOP/COEP): Enables Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy to improve cross-origin isolation and mitigate certain side-channel attacks.
- Content Security Policy (CSP): One of the strongest defenses against XSS. Includes a dashboard-based CSP builder with preset options to whitelist trusted sources for scripts, styles, images, and more.
- CSP Report-Only Mode: Test your policy safely without blocking content.
- Server Header Hardening: Removes or limits exposure of headers such as
X-Powered-ByandServer. - Lightweight and Fast: Uses PHP headers for broad server compatibility and minimal performance impact.
- No
.htaccessEditing Required: Works without modifying server configuration files.
Designed for developers and site owners who want stronger security without unnecessary complexity.
External Services
This plugin provides a Content Security Policy (CSP) builder. To assist users, it includes “Preset Buttons” that allow users to quickly add domain names to their own CSP whitelist.
This plugin DOES NOT connect to, load data from, or send data to these services automatically. The following third-party domains are referenced as presets within the admin dashboard for whitelisting purposes:
* Google Analytics (www.google-analytics.com) – Used for tracking whitelisting. [Privacy: https://policies.google.com/privacy]
* Google Tag Manager (www.googletagmanager.com) – Used for tag management. [Privacy: https://policies.google.com/privacy]
* Stripe (js.stripe.com, api.stripe.com) – Used for payment processing. [Privacy: https://stripe.com/privacy]
* Facebook (www.facebook.com, connect.facebook.net) – Used for social embeds. [Privacy: https://www.facebook.com/policy.php]
* YouTube (www.youtube.com, i.ytimg.com) – Used for video embeds. [Privacy: https://policies.google.com/privacy]
* Vimeo (player.vimeo.com) – Used for video embeds. [Privacy: https://vimeo.com/privacy]
* Gravatar (secure.gravatar.com) – Used for user avatars. [Privacy: https://automattic.com/privacy/]
Instal·lació
- Upload the
boundaryguard-headersfolder to the/wp-content/plugins/directory. - Activate the plugin through the Plugins menu in WordPress.
- Configure the settings from Settings BoundaryGuard Headers.
PMF
-
Does this plugin edit .htaccess?
-
No. BoundaryGuard Headers uses PHP headers, which improves compatibility across different hosting environments.
-
Can I test Content Security Policy without breaking my site?
-
Yes. The plugin includes a CSP Report-Only Mode that allows you to monitor policy violations without blocking any resources.
-
Will this affect site performance?
-
No. The plugin is lightweight and adds negligible overhead, as headers are sent as part of the normal HTTP response.
Ressenyes
Col·laboradors i desenvolupadors
«BoundaryGuard Headers» és programari de codi obert. La següent gent ha col·laborat en aquesta extensió.
Col·laboradors
Traduïu «BoundaryGuard Headers» a la vostra llengua.
Interessats en el desenvolupament?
Navegueu pel codi, baixeu-vos el repositori SVN, o subscriviu-vos al registre de desenvolupament per fisl de subscripció RSS.
Registre de canvis
1.0.0
- Initial release
- Added essential HTTP security headers
- Implemented HSTS support
- Added CSP builder with report-only mode
