{"id":266475,"date":"2025-12-29T04:58:28","date_gmt":"2025-12-29T04:58:28","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/header-hardening-security-http-headers-enforcer\/"},"modified":"2026-01-05T08:19:59","modified_gmt":"2026-01-05T08:19:59","slug":"boundaryguard-headers","status":"publish","type":"plugin","link":"https:\/\/ewe.wordpress.org\/plugins\/boundaryguard-headers\/","author":23413993,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.0","stable_tag":"1.0.0","tested":"6.9.4","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"BoundaryGuard Headers","header_author":"Jay Suthar","header_description":"Automatically enforces critical HTTP Security Headers (HSTS, CSP, XFO, COOP\/COEP) to protect against Clickjacking, XSS, and downgrade attacks. Features a dashboard with a Content Security Policy (CSP) builder for easy whitelisting. Achieve an A+ security rating with zero configuration effort.Enforces modern HTTP security headers including CSP, HSTS, COOP and COEP.","assets_banners_color":"278da4","last_updated":"2026-01-05 08:19:59","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"","rating":5,"author_block_rating":0,"active_installs":0,"downloads":156,"num_ratings":1,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"jsjack74","date":"2026-01-05 08:19:59"}},"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3428818,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3428818,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3428820,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3428818,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[19966,34310,32637,600,14958],"plugin_category":[54],"plugin_contributors":[252960],"plugin_business_model":[],"class_list":["post-266475","plugin","type-plugin","status-publish","hentry","plugin_tags-csp","plugin_tags-hsts","plugin_tags-http-headers","plugin_tags-security","plugin_tags-xss","plugin_category-security-and-spam-protection","plugin_contributors-jsjack74","plugin_committers-jsjack74"],"banners":{"banner":"https:\/\/ps.w.org\/boundaryguard-headers\/assets\/banner-772x250.png?rev=3428818","banner_2x":"https:\/\/ps.w.org\/boundaryguard-headers\/assets\/banner-1544x500.png?rev=3428820","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/boundaryguard-headers\/assets\/icon-128x128.png?rev=3428818","icon_2x":"https:\/\/ps.w.org\/boundaryguard-headers\/assets\/icon-256x256.png?rev=3428818","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>BoundaryGuard Headers enforces modern HTTP security headers to harden your WordPress site against XSS, clickjacking, mixed content, and cross-origin attacks.<\/p>\n\n<p><strong>Key Features:<\/strong><\/p>\n\n<ul>\n<li><strong>Essential Protection:<\/strong> Adds X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to reduce attack surface and prevent clickjacking.<\/li>\n<li><strong>HSTS (Strict Transport Security):<\/strong> Forces HTTPS connections to help prevent protocol downgrade and man-in-the-middle attacks.<\/li>\n<li><strong>Advanced Isolation (COOP\/COEP):<\/strong> Enables Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy to improve cross-origin isolation and mitigate certain side-channel attacks.<\/li>\n<li><strong>Content Security Policy (CSP):<\/strong> One of the strongest defenses against XSS. Includes a dashboard-based CSP builder with preset options to whitelist trusted sources for scripts, styles, images, and more.<\/li>\n<li><strong>CSP Report-Only Mode:<\/strong> Test your policy safely without blocking content.<\/li>\n<li><strong>Server Header Hardening:<\/strong> Removes or limits exposure of headers such as <code>X-Powered-By<\/code> and <code>Server<\/code>.<\/li>\n<li><strong>Lightweight and Fast:<\/strong> Uses PHP headers for broad server compatibility and minimal performance impact.<\/li>\n<li><strong>No <code>.htaccess<\/code> Editing Required:<\/strong> Works without modifying server configuration files.<\/li>\n<\/ul>\n\n<p>Designed for developers and site owners who want stronger security without unnecessary complexity.<\/p>\n\n<h3>External Services<\/h3>\n\n<p>This plugin provides a Content Security Policy (CSP) builder. To assist users, it includes \"Preset Buttons\" that allow users to quickly add domain names to their own CSP whitelist.<\/p>\n\n<p><strong>This plugin DOES NOT connect to, load data from, or send data to these services automatically.<\/strong> The following third-party domains are referenced as presets within the admin dashboard for whitelisting purposes:\n* Google Analytics (www.google-analytics.com) - Used for tracking whitelisting. [Privacy: https:\/\/policies.google.com\/privacy]\n* Google Tag Manager (www.googletagmanager.com) - Used for tag management. [Privacy: https:\/\/policies.google.com\/privacy]\n* Stripe (js.stripe.com, api.stripe.com) - Used for payment processing. [Privacy: https:\/\/stripe.com\/privacy]\n* Facebook (www.facebook.com, connect.facebook.net) - Used for social embeds. [Privacy: https:\/\/www.facebook.com\/policy.php]\n* YouTube (www.youtube.com, i.ytimg.com) - Used for video embeds. [Privacy: https:\/\/policies.google.com\/privacy]\n* Vimeo (player.vimeo.com) - Used for video embeds. [Privacy: https:\/\/vimeo.com\/privacy]\n* Gravatar (secure.gravatar.com) - Used for user avatars. [Privacy: https:\/\/automattic.com\/privacy\/]<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>boundaryguard-headers<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> menu in WordPress.<\/li>\n<li>Configure the settings from <strong>Settings \u2192 BoundaryGuard Headers<\/strong>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id='does%20this%20plugin%20edit%20.htaccess%3F'><h3>Does this plugin edit .htaccess?<\/h3><\/dt>\n<dd><p>No. BoundaryGuard Headers uses PHP headers, which improves compatibility across different hosting environments.<\/p><\/dd>\n<dt id='can%20i%20test%20content%20security%20policy%20without%20breaking%20my%20site%3F'><h3>Can I test Content Security Policy without breaking my site?<\/h3><\/dt>\n<dd><p>Yes. The plugin includes a <strong>CSP Report-Only Mode<\/strong> that allows you to monitor policy violations without blocking any resources.<\/p><\/dd>\n<dt id='will%20this%20affect%20site%20performance%3F'><h3>Will this affect site performance?<\/h3><\/dt>\n<dd><p>No. The plugin is lightweight and adds negligible overhead, as headers are sent as part of the normal HTTP response.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Added essential HTTP security headers<\/li>\n<li>Implemented HSTS support<\/li>\n<li>Added CSP builder with report-only mode<\/li>\n<\/ul>","raw_excerpt":"Automatically enforces essential HTTP security headers to protect your site from XSS, clickjacking, and protocol downgrade attacks.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/266475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=266475"}],"author":[{"embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/jsjack74"}],"wp:attachment":[{"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=266475"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=266475"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=266475"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=266475"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=266475"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ewe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=266475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}