Skip to content

Modify HTTP headers

HTTP headers are part of the HTTP protocol used to request web pages and responses from API endpoints and also to send the response (e.g. the web page or the API response). They are neither visible when viewing web pages in a browser nor when viewing the HTML source for a web page.

By default, the VIP Platform adds two custom HTTP response headers are added to every site it hosts: X-hacker and X-Powered-By. These headers help VIP to monitor the platform and can be useful when troubleshooting the origin of a request. If necessary, these headers can be removed.

X-hacker: If you’re reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
X-Powered-By: WordPress VIP <https://wpvip.com>

HTTP headers added by the VIP platform, as well as all other request and response headers, can be inspected by using specific tools, such as cURL. HTTP headers can be added, edited, or removed using the following filters, which can be done in a custom plugin or in a theme’s functions.php file.

Remove a header

WordPress core sends over a dozen default headers that can also be removed. For example, to remove wp_generator:

remove_action( 'wp_head', 'wp_generator' );

To alter the custom headers sent by VIP, use the wp_headers filter to unset or modify them as desired. The source code contains the latest header keys and can be used as a reference.

As an example, the following snippet can be used to remove the X-hacker header:

add_filter( 'wp_headers', function( $headers ) {
    unset( $headers['X-hacker'] );
    return $headers;
}, 999 );

Change a header

To change the value of a VIP header, replace the value with a new one. For example:

add_filter( 'wp_headers', function( $headers ) {
    $headers['X-hacker'] = 'Follow the white rabbit over to wpvip.com/careers to join our team.';
    $headers['X-Powered-By'] = 'WordPress VIP, an Automattic Production.';
    return $headers;
}, 999 );

Add a header

Use the wp_headers filter in a theme’s functions.php file to add new headers. Ensure that the header is not already being set before adding it to the filter.

Common headers that are added with the wp_headers filter:

  • Content-Security-Policy
  • X-Content-Type-Options
  • X-XSS-Protections
  • Referrer-Policy
  • Permissions-Policy
add_action( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['your custom headers here'] )) {
        $headers['your custom header here'] = ‘The header value’;
     }
    return $headers;
}, 999 );

For example, as a means to prevent clickjacking, the X-Frame-Options: SAMEORIGIN header ensures that a frame can be displayed only on the same origin as the page it is embedded on.

add_action( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['X-Frame-Options'] )) {
        $headers['X-Frame-Options'] = 'SAMEORIGIN';
     }
    return $headers;
}, 999 );

Send headers

The send_headers hook can also be used to send headers. This hook fires once the requested HTTP headers for caching, content type, et al, have already been sent, which means there isn’t an opportunity to check and avoid sending duplicate headers. It can be useful when there is already a function that exists with a header() call.

For example, the following line is an alternative implementation of the above X-Frame-Options header, as the send_frame_options_header function already exists in WordPress:

add_action( 'send_headers', 'send_frame_options_header', 10, 0 );

Last updated: May 26, 2022