Omega Web Apps Navigation
🔐 Omega Security Headers Guide
A universal reference for adding modern security headers to any website
Security headers are delivered by the web server, not by WordPress, themes, or plugins. Because every hosting environment is different, no plugin can safely inject these headers automatically.
This guide shows developers how to add industry‑standard security headers on:
- Apache (.htaccess)
- Nginx
- LiteSpeed
- Cloudflare
- PHP fallback (least recommended)
Each section includes copy‑paste examples.
🧩 1. What Security Headers Do
Security headers protect your site from:
- Clickjacking
- MIME‑type sniffing
- Cross‑site scripting (XSS)
- Browser feature abuse
- Referrer leakage
- Protocol downgrade attacks
- Mixed content
- Unauthorized framing
These headers do not change your site’s content — they instruct the browser how to behave.
🛡️ 2. Recommended Security Headers
| Header | Purpose |
|---|---|
| Strict-Transport-Security (HSTS) | Forces HTTPS and prevents downgrade attacks |
| X-Frame-Options | Blocks clickjacking |
| X-Content-Type-Options | Prevents MIME sniffing |
| Referrer-Policy | Controls how much referrer info is leaked |
| Content-Security-Policy (CSP) | Blocks XSS, injections, and unauthorized scripts |
| Permissions-Policy | Restricts browser features (camera, mic, geolocation, etc.) |
| X-XSS-Protection | Legacy XSS protection for old browsers |
| X-Download-Options | Prevents file download execution in IE |
| X-Permitted-Cross-Domain-Policies | Controls Flash/Adobe cross-domain access |
🏗️ 3. Apache (.htaccess) Example
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# HSTS (requires HTTPS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Security Headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"
🚀 4. Nginx Example
# Force HTTPS
return 301 https://$host$request_uri;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
⚡ 5. LiteSpeed Example
LiteSpeed supports both Apache and Nginx syntax.
Use .htaccess (recommended):
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Or use the LiteSpeed WebAdmin Console → Headers section.
☁️ 6. Cloudflare Example
Cloudflare lets you add headers at the edge, which is the most secure method.
Option A — Cloudflare Transform Rules
Dashboard → Rules → Transform Rules → Modify Response Header
- Name: X-Frame-Options
Value: SAMEORIGIN - Name: X-Content-Type-Options
Value: nosniff - Name: Referrer-Policy
Value: strict-origin-when-cross-origin - Name: Permissions-Policy
Value: geolocation=(), microphone=(), camera=() - Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Option B — Cloudflare Workers
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
🐘 7. PHP Fallback (Least Recommended)
Use only if you cannot modify server config:
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
⚠️ Warning: PHP headers may be overridden by the server or CDN. Use only as a last resort.
🧪 8. Testing Your Headers
Use these tools:
- SecurityHeaders.com
- Mozilla Observatory
- Qualys SSL Labs
- Chrome DevTools → Network → Click any request → Headers tab
Look for your headers under Response Headers.
🧭 9. Best Practices
- Always test on a staging environment first.
- Add CSP gradually — it can block scripts if misconfigured.
- Enable HSTS only after HTTPS is fully working everywhere.
- Avoid overly strict Permissions-Policy rules unless required.
- Never inject headers into the HTML
<head>— browsers ignore them. - Prefer server-level headers over PHP-based headers.
- Use Cloudflare or your hosting provider for the most reliable header delivery.
🎉 10. Summary
Security headers must be added by:
- The developer
- The server administrator
- The hosting provider
- The CDN
Plugins cannot safely inject them automatically, and your architecture respects that perfectly.
Omega Web Metrics → Detects
Omega Security Engine Pro → Protects
Developers → Implement headers
This is the correct, professional, enterprise‑grade model.
