60Web60

Add security headers to your website

Security4 min read·

HTTP security headers are instructions your server sends to browsers along with every page and file. They tell the browser how to handle your content securely — preventing attacks like clickjacking, MIME-type abuse, and information leakage.

When you enable Security headers in the Security card, Web60 adds five carefully chosen headers to every response from your website.

What each header does

X-Content-Type-Options: nosniff

Prevents browsers from guessing (sniffing) the type of a file. Without this header, a browser might treat a text file as JavaScript and execute it, which attackers can exploit to run malicious code.

Impact: None on normal browsing. This header enforces what browsers already do in modern versions, but protects visitors using older browsers.

X-Frame-Options: SAMEORIGIN

Controls whether your site can be loaded inside an iframe. With SAMEORIGIN, your site can only be framed by pages on the same domain. This prevents clickjacking attacks, where an attacker overlays your site with invisible elements to trick visitors into clicking something they did not intend to.

Impact: Your site cannot be embedded in an iframe on another domain. This is almost always desirable. If you legitimately need your site framed on another domain, contact our support team.

Referrer-Policy: strict-origin-when-cross-origin

Controls how much information is shared when a visitor clicks a link from your site to another site. With this policy:

  • Same-site links send the full URL as the referrer (normal behaviour)
  • Cross-site links send only your domain name (for example, https://yoursite.com rather than the full page URL)
  • HTTPS to HTTP links send no referrer at all

Impact: Your analytics continue to work normally. External sites you link to see your domain but not the specific page your visitor came from.

Permissions-Policy: camera=(), microphone=(), geolocation=()

Restricts which browser features your site can use. This policy disables access to the camera, microphone, and geolocation APIs. A standard WordPress website has no reason to use these features, so disabling them prevents any injected malicious script from accessing them.

Impact: None for a typical WordPress site. If you add a feature that genuinely needs camera or microphone access (such as a video chat widget), contact our support team to adjust this header.

X-XSS-Protection: 0

This may seem counterintuitive, but setting this header to 0 is the modern best practice. The old XSS filter built into older browsers was found to introduce security vulnerabilities of its own. Modern browsers have removed it entirely. Setting the header to 0 ensures older browsers do not enable the flawed filter.

Impact: None. Modern browsers ignore this header, and older browsers are told not to use their broken XSS filter.

How these headers are applied

Web60 applies security headers at the server level (nginx), not through WordPress PHP. This means they apply to every response from your site:

  • HTML pages
  • CSS and JavaScript files
  • Images and fonts
  • Error pages (404, 500, etc.)
  • API responses

WordPress core also sets some of these headers via PHP for dynamic pages. Web60 uses a method that replaces rather than duplicates, so each header appears exactly once in the response.

How to enable them

  1. Open your Web60 dashboard and select your website.
  2. Go to Advanced Settings.
  3. In the Security card, find Security headers.
  4. Toggle it on.

The headers are applied immediately. You can verify them using your browser's developer tools (Network tab) or an online header checker.

How to disable them

If you need to remove the security headers for troubleshooting, toggle the setting off. The server configuration is removed and the headers are no longer sent. WordPress may still send some of these headers via PHP on dynamic pages.

Need help?

If you have questions about security headers or need a specific header adjusted, visit our support page and we will be happy to help.

Frequently asked questions

Will security headers break my website?

No. The headers Web60 applies are safe for all WordPress sites. They enforce sensible defaults that browsers already follow in most cases. If you embed your site in an iframe on another domain, the X-Frame-Options header will block that — but this is almost always the desired behaviour, as it prevents clickjacking attacks.

Will security headers affect my analytics?

No. Web60 uses Plausible Analytics, which loads as a standard JavaScript file. The security headers do not include a Content Security Policy that would block scripts, and the Referrer-Policy value (strict-origin-when-cross-origin) still sends enough information for analytics to work correctly.

Can I customise individual headers?

The security headers toggle applies a curated set of headers as a single bundle. This approach is deliberate — it ensures all headers work together correctly and avoids misconfiguration. If you need a specific header changed for a technical reason, contact our support team.

Do these headers apply to static files like images and CSS?

Yes. Unlike headers set by WordPress via PHP (which only apply to dynamic pages), these headers are applied at the server level and cover all responses, including static files, images, fonts, and error pages.

Last updated: 26 March 2026

← PreviousDisable the WordPress file editorNext →Block author enumeration on your WordPress site

Still need help?

Contact our support team for personalised assistance.

Contact Support