Is there a way to place the HTTP Security Headers in wp-config.php
instead of in .htaccess
or functions.php
? If so, what is the format?
2 Answers
The .htaccess
file is read by the Apache server software before it even hands over to WordPress to generate a page. It is by far the best place to have your security headers.
That said, WordPress does have a class to modify the headers before they are send to the browser. This class contains a filter which you could use in a plugin. Beware that this filter might be bypassed if your page is served by a caching plugin (or some server level form of caching).
The wp-config.php
file has a fairly narrow scope, as you can see in the codex. Defining security headers there is not among the possibilities.
Bottom line: yes, there are some ways to set security headers within WordPress, but make sure your .htaccess
is in order.