Advanced security header optimization toolkit. Content-Security-Policy, Strict Transport Security (HSTS), Public-Key-Pins (HPKP), X-XSS-Protection and CORS.
Clone or download
o10n-x core update
Latest commit fcf4748 Sep 20, 2018
Failed to load latest commit information.
admin core update Jun 18, 2018
controllers core update Jul 8, 2018
core core update Sep 20, 2018
docs core update Jun 11, 2018
includes core update Jun 18, 2018
languages 0.0.1 beta Feb 20, 2018
tests tests Feb 27, 2018
.travis.yml core update Mar 13, 2018 core update Jul 12, 2018
README.txt core update Sep 20, 2018
changelog.txt 0.0.1 beta Feb 20, 2018
index.php 0.0.1 beta Feb 20, 2018
phpunit.xml tests Feb 27, 2018
security-header-optimization.php core update Sep 20, 2018
uninstall.php core update Jun 14, 2018

Build Status Version

WordPress Security Header Optimization

Advanced security header optimization toolkit. Content-Security-Policy, Strict Transport Security (HSTS), Public-Key-Pins (HPKP), X-XSS-Protection and CORS.


Github Updater

This plugin can be installed and updated using Github Updater (installation instructions)

Installation instructions

Step 1: Install Github Updater and first optimization plugin

Installing and updating the plugins is possible using Github Updater. It is easy to install one of the plugins. You simply need to download the Github Updater plugin (zip file), install it from the WordPress plugin admin panel and copy the Github URL of the plugin into the Github Updater installer.


Step 2: Install other optimization plugins with a single click

A recent update of all plugins contains a easy single click install button.



This plugin is a toolkit for HTTP Security Header optimization.

The plugin provides in a complete solution for Content Security Policy Management with support for Reporting API and legacy policy conversion based on browser sniffing.

JSON Schema based configuration

A big advantage is that the full configuration can be managed by JSON verified by a JSON schema. This makes the configuration easy to manage and portable to multiple websites.

CSP Editor

The plugin supports most security headers, including Strict Transport Security (HSTS), Public-Key-Pins (HPKP), X-XSS-Protection and all Cross-Origin Resource Sharing (CORS) related headers (Access-Control-Allow-Origin).

Security Headers Config

All settings of the plugin can be controlled from a single JSON editor. As part of the WPO collection, the plugin settings can be controlled via a single optimization JSON configuration.

Reporting API

The plugin supports both Report URI and the latest Reporting API ( to enable advanced logging of security reports.

Reporting API

Additional features can be requested on the Github forum.

WordPress WPO Collection

This plugin is part of a Website Performance Optimization collection that include CSS, Javascript, HTML, Web Font, Progressive Web App (Service Worker) and HTTP/2 optimization.

The WPO optimization plugins provide in all essential tools that enable to achieve perfect Google Lighthouse Test scores and to validate a website as Google PWA, an important ranking factor for Google's Speed Update (July 2018).

Google Lighthouse Perfect Performance Scores

The WPO optimization plugins are designed to work together with single plugin performance. The plugins provide the latest optimization technologies and many unique innovations.

JSON configuration

100% of the WPO plugin settings are controlled by JSON. This means that you could use the plugins without ever using the WordPress admin forms.

The JSON is verified using JSON schema's. More info about JSON schemas.

Local editing of optimization settings

A recently added Stealth Optimization Config Proxy concept makes it possible to edit the plugin settings using physical .json files from a local editor (with auto upload) making it efficient for fine tuning optimization settings. An update would cost a second compared to using + saving a WordPress admin panel.

Google PageSpeed vs Google Lighthouse Scores

While a Google PageSpeed 100 score is still of value, websites with a high Google PageSpeed score may score very bad in Google's new Lighthouse performance test.

The following scores are for the same site. It shows that a perfect Google PageSpeed score does not correlate to a high Google Lighthouse performance score.

Perfect Google PageSpeed 100 Score Google Lighthouse Critical Performance Score

Google PageSpeed score is outdated

For the open web to have a chance of survival in a mobile era it needs to compete with and win from native mobile apps. Google is dependent on the open web for it's advertising revenue. Google therefor seeks a way to secure the open web and the main objective is to rapidly enhance the quality of the open web to meet the standards of native mobile apps.

For SEO it is therefor simple: websites will need to meet the standards set by the Google Lighthouse Test (or Google's future new tests). A website with perfect scores will be preferred in search over low performance websites. The officially announced Google Speed Update (July 2018) shows that Google is going as far as it can to drive people to enhance the quality to ultra high levels, to meet the quality of, and hopefully beat native mobile apps.

A perfect Google Lighthouse Score includes validation of a website as a Progressive Web App (PWA).

Google offers another new website performance test that is much tougher than the Google PageSpeed score. It is based on a AI neural network and it can be accessed on