Skip to content

Add, edit, or remove HTTP response headers

HTTP response headers can be added, and some of a site’s HTTP response headers can be edited or removed. Modifications to HTTP response headers should be made with filters in a custom plugin or in a theme’s functions.php file.

Add a header

Use the wp_headers filter in a theme’s functions.php file to add new headers. Ensure that the header is not already being set before adding it to the filter.

functions.php
add_filter( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['your custom headers here'] )) {
        $headers['your custom header here'] = ‘The header value’;
     }
    return $headers;
}, 999 );

For example, as a means to prevent clickjacking, the X-Frame-Options: SAMEORIGIN header can be added to ensure that a frame can be displayed only on the same origin as the page it is embedded on.

functions.php
add_filter( 'wp_headers', function( $headers ) {
    if ( ! isset( $headers['X-Frame-Options'] )) {
        $headers['X-Frame-Options'] = 'SAMEORIGIN';
     }
    return $headers;
}, 999 );

Commonly added headers

Headers that are commonly added using the wp_headers filter:

  • Content-Security-Policy
  • X-Content-Type-Options
  • X-XSS-Protections
  • Referrer-Policy
  • Permissions-Policy

Remove a header

The X-hacker and X-Powered-By custom headers sent by VIP can be removed or modified with the wp_headers filter.

In this example code, the X-hacker header is removed:

functions.php
add_filter( 'wp_headers', function( $headers ) {
    unset( $headers['X-hacker'] );
    return $headers;
}, 999 );

Remove a header sent by WordPress Core

By default, over a dozen headers are sent by WordPress Core. One or more of these headers can be optionally removed. For example, to remove wp_generator:

functions.php
remove_action( 'wp_head', 'wp_generator' );

Note

Some headers are not added by WordPress and cannot be removed. For example, the server: nginx header is set by WPVIP’s edge cache. Though this header is commonly identified as a security concern, the implementation of NGINX within WPVIP’s infrastructure is publicly disclosed and therefore not a security vector.

Modify a header

Use the wp_headers filter to modify or replace the default value of the X-hacker and X-Powered-By response headers added by WPVIP. For example:

functions.php
add_filter( 'wp_headers', function( $headers ) {
    $headers['X-hacker'] = 'Follow the white rabbit over to wpvip.com/careers to join our team.';
    $headers['X-Powered-By'] = 'WordPress VIP, an Automattic Production.';
    return $headers;
}, 999 );

Send a header

The send_headers hook can also be used to send headers. The send_headers hook fires after the requested HTTP headers for caching, content type, et al, have already been sent. Because of this, there is not an opportunity to check and avoid sending duplicate headers. This can be useful when there is already a function that exists with a header() call.

For example, the following line is an alternative implementation of the above X-Frame-Options header, as the send_frame_options_header function already exists in WordPress:

add_action( 'send_headers', 'send_frame_options_header', 10, 0 );

Last updated: November 26, 2024

Relevant to

  • WordPress