WordPress security headers are HTTP response headers that help control the behavior of web browsers and improve website security. These headers are sent from the server to the browser and instruct the browser on how to handle certain actions, such as displaying content, interacting with external resources, or executing scripts.

In WordPress security headers are served directly by the web server i.e. Apache, Microsoft IIS etc. So, for a example, take a scenario where a page has been injected with malicious iframe. Now, when the server serves that malicious web page to a user, it serves it along with some security headers. If the right kind of security headers are present (X-Frame-Options), they will stop the user’s browser from showing that malicious iframe.
When applied correctly, security headers can help prevent a wide variety of attacks, such as cross-site scripting (XSS), clickjacking, content injection and more.

Important Security Headers for WordPress
Here are some of the most important security headers you should consider adding to your WordPress website.
1. Content Security Policy (CSP)
A Content-Security-Policy header helps prevent Cross-Site Scripting (XSS) attacks by specifying which sources the browser can load content from. By defining trusted sources for scripts, images, and styles, this header ensures that malicious content from unauthorized domains is blocked.

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-source.com; connect-src 'self'; img-src 'self'; style-src 'self'; object-scr 'none'; frame-ancestors 'self';

2. Strict-Transport-Security (HSTS)
HTTP Strict Transport Security (HSTS) forces browsers to communicate with the website using HTTPS, even if the user attempts to connect via HTTP. This ensures that data transmitted between the server and the user is always encrypted.

Strict-Transport-Security: max-age=31536000; includeSubDomains;

3. X-Content-Type-Options
Often, it is quite possible that the attacker may have uploaded a text file with a malicious HTML code. It may seem like a harmless text file but your browser will automatically detect it as HTML and run the code. This security header, therefore, words by stopping your browser from interpreting the file anything other than the declared content type.

X-Content-Type-Options: nosniff

4. X-Frame-Options
X-Frame-Options helps protect against clickjacking attacks, where an attacker embeds your website in a hidden iframe to trick users into performing unwanted actions. Setting this header ensures that your website can’t be embedded in other sites unless explicitly allowed.

X-Frame-Options: SAMEORIGIN

5. X-XSS-Protection
X-XSS-Protection is an older header that helps protect against some types of Cross-Site-Scripting (XSS) attacks by enabling the browser’s built-in XSS filters. However, many modern browsers now have robust protection mechanisms, so his header is less relevant today but can still offer some defense.

X-XSS-Protection: 1; mode=block

6. Referrer-Policy
The Referrer-Policy header controls how much referrer information (such as the URL of the previous page) is sent when a user navigates from your website to another site. This helps protect user privacy and prevents potential leakage of sensitive information.

Referrer-Policy: no-referrer-when-downgrade

7. Feature-Policy / Permissions-Policy
The Feature-Policy (now renamed Permissions-Policy) header allows you to control which browser features are available to your website. You can disable features like geolocation, camera access, or microphone access to improve security.

Permissions-Policy: geolocation=(), microphone=()

8. Cache-Coontrol
Cache-Control allows you to control how content is cached by browsers and CDNs. By setting this header properly, you can prevent sensitive content from being cached, ensuring it is always retrieved securely.

Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate

By adding these headers to your site from a variety of threats, including XSS attacks, clickjacking, and content injection. You can add them manually through .htaccess file in the root directory.