Skip to content

HTTP headers

HTTP headers are part of the HTTP protocol used to request web pages, request responses from API endpoints, and to send the response (e.g. from the web page or the API response). HTTP headers are not visible when viewing web pages in a browser nor when viewing the HTML source for a web page.

HTTP headers added by the VIP Platform, as well as all other request and response headers, can be inspected by using specific tools, such as cURL.

HTTP headers can also be added, edited, or removed using filters in a custom plugin or in a theme’s functions.php file.

HTTP response headers added by VIP

By default, the X-hacker and X-Powered-By custom HTTP response headers are added to every site hosted on the VIP Platform.

X-hacker: If you’re reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
X-Powered-By: WordPress VIP <https://wpvip.com>

These headers help VIP to monitor the platform and can be useful when troubleshooting the origin of a request. If necessary, these headers can be removed.

Add an HTTP header

Use the wp_headers filter in a theme’s functions.php file to add new headers. Ensure that the header is not already being set before adding it to the filter.

functions.php
add_filter( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['your custom headers here'] )) {
        $headers['your custom header here'] = ‘The header value’;
     }
    return $headers;
}, 999 );

For example, as a means to prevent clickjacking, the X-Frame-Options: SAMEORIGIN header can be added to ensure that a frame can be displayed only on the same origin as the page it is embedded on.

functions.php
add_filter( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['X-Frame-Options'] )) {
        $headers['X-Frame-Options'] = 'SAMEORIGIN';
     }
    return $headers;
}, 999 );

Commonly added headers

Headers that are commonly added using the wp_headers filter:

  • Content-Security-Policy
  • X-Content-Type-Options
  • X-XSS-Protections
  • Referrer-Policy
  • Permissions-Policy

Modify an HTTP header

The value of a VIP header can be modified and replaced with a custom value. For example:

functions.php
add_filter( 'wp_headers', function( $headers ) {
    $headers['X-hacker'] = 'Follow the white rabbit over to wpvip.com/careers to join our team.';
    $headers['X-Powered-By'] = 'WordPress VIP, an Automattic Production.';
    return $headers;
}, 999 );

Remove an HTTP header

Custom headers sent by VIP can be removed or modified with the wp_headers filter. As an example, the following snippet can be used to remove the X-hacker header:

functions.php
add_filter( 'wp_headers', function( $headers ) {
    unset( $headers['X-hacker'] );
    return $headers;
}, 999 );

By default, over a dozen headers are sent by WordPress Core. One or more of these headers can be optionally removed. For example, to remove wp_generator:

functions.php
remove_action( 'wp_head', 'wp_generator' );

Some headers are not added by WordPress and cannot be removed. For example, the server: nginx header is set by WPVIP’s edge cache. Though this header is commonly identified as a security concern, the implementation of NGINX within WPVIP’s infrastructure is publicly disclosed and therefore not a security vector.

Send HTTP headers

The send_headers hook can also be used to send headers. The send_headers hook fires after the requested HTTP headers for caching, content type, et al, have already been sent. Because of this, there is not an opportunity to check and avoid sending duplicate headers. This can be useful when there is already a function that exists with a header() call.

For example, the following line is an alternative implementation of the above X-Frame-Options header, as the send_frame_options_header function already exists in WordPress:

add_action( 'send_headers', 'send_frame_options_header', 10, 0 );

Last updated: November 18, 2024

Relevant to

  • WordPress