Is there a way to place the HTTP Security Headers in wp-config.php instead of in .htaccess or functions.php? If so, what is the format?
2 Answers
The .htaccess file is read by the Apache server software before it even hands over to WordPress to generate a page. It is by far the best place to have your security headers.
That said, WordPress does have a class to modify the headers before they are send to the browser. This class contains a filter which you could use in a plugin. Beware that this filter might be bypassed if your page is served by a caching plugin (or some server level form of caching).
The wp-config.php file has a fairly narrow scope, as you can see in the codex. Defining security headers there is not among the possibilities.
Bottom line: yes, there are some ways to set security headers within WordPress, but make sure your .htaccess is in order.
