I have written a simple plugin to send some security http headers. I’ve tested it on various wordpress installations but on a wordpress multisite network it seems that the headers are not sended. The plugin is active for the entire network and in the .htaccess
file there is no instruction to set the headers. Is there any error with my code?
<?php
if(! defined('WPINC') ){
die;
}
class WP_Security_Headers{
public function init(){
add_action('send_headers', array($this, 'set_http_headers'));
}
private function set_http_headers(){
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("Set-Cookie: HttpOnly;Secure");
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://www.google.com; font-src 'self' data:; object-src 'none'; frame-src https://www.google.com; ");
header("X-Frame-Options: SAMEORIGIN");
header("X-Xss-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: strict-origin");
header("X-Pingback: ");
header("X-Powered-By: ");
}
}
$wp_s = new WP_Security_Headers;
$wp_s->init();
?>