WP Fix It Easy Security Headers adds a simple page under Tools Security Headers where you can toggle common HTTP security headers:

Strict-Transport-Security (HSTS)
Content-Security-Policy (CSP)
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy

On activation, all headers are enabled by default and you’re redirected to the settings screen.

For convenience, the page and the Plugins screen include a “Check Headers” button that opens SecurityHeaders.com with your site’s URL prefilled (built dynamically from home_url()).

Notes on CSP

This plugin ships with a permissive default CSP intended to “work everywhere” out of the box (allows most external sources and inline code). For stronger protection, you should harden the directives for your specific site.

Key Features

One-click toggles for popular headers
Dynamic “Check Headers” scan link
Uses the WordPress Settings API (nonce + capability checks)
Output escaping and sanitization following PHPCS