Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

How to Modify HTTP Headers in the WordPress Admin Area

WordPress provides the wp_headers filter hook and send_headers action hook to add and modify HTTP requests. For front-end pages, these are ideal hooks that should be used whenever possible. Unfortunately however neither hook works on all pages in the WordPress Admin Area. After some experimentation, I found an easy solution to modify HTTP headers on any/all pages in the Admin Area.

wp_headers = Doesn’t Work in the Admin Area

At WP-Mix.com, I posted a tutorial about how to Disable the Chrome XSS Auditor. The code provided in the original version of the tutorial used wp_headers to add the XSS header:

// Add HTTP XSS Header
function shapeSpace_add_xss_header() {
	
	$headers['X-XSS-Protection'] = '0';
	
	return $headers;
	
}
add_filter('wp_headers', 'shapeSpace_add_xss_header');

But as JanWillem pointed out, it doesn’t work in the Admin Area. It does work on Posts, Pages, and other CPT screens, but nowhere else. Possibly because CPT pages utilize the WordPress Loop and thus the wp_headers hook is fired. Regardless, neither wp_headers nor send_headers works on ALL pages/requests in the Admin Area. Fortunately, there is a solution..

Add/Modify/Remove Headers in the Admin Area

The easiest way to add or modify a header for ANY/ALL WP-generated pages, including all pages in the WordPress Admin Area and frontend, is to call the PHP headers() function using the WP init hook. Here are some basic examples showing how it’s done.

Note: these examples limit header modification to admin pages only. To modify headers for front-end requests, it is recommended to use wp_headers or send_headers instead.

Add Headers

To add, say, an XSS header in both the Admin Area and the frontend (i.e., everywhere), we can add the following code to functions.php or via plugin.

// Add HTTP Header
function shapeSpace_add_header() {
	
	if (is_admin()) header('X-XSS-Protection: 0');
	
}
add_action('init', 'shapeSpace_add_header');

So simple it hurts. This technique uses the WordPress function, is_admin() to check if the request is for any page in the WP Admin Area. If so, the XSS header is added via the headers() function. Further conditional logic may be applied to target only specific pages. For an example, check out the WP-Mix tutorial, Disable the Chrome XSS Auditor.

Modify Headers

By default, the headers() function replaces any existing header of the same name. Consider this example:

// Modify HTTP Header
function shapeSpace_modify_header() {
	
	if (is_admin()) header('Example-Header: Value');
	
}
add_action('init', 'shapeSpace_modify_header');

If the Example-Header header already exists, its value will be replaced by Value. So this technique can be used to either add a new header (if it does not already exist), or can be used to modify a header (if it does already exist).

Add Multiple Headers

To add multiple headers that have the same name, we can pass a second argument to the headers() function like so:

// Add Multiple HTTP Headers
function shapeSpace_add_headers() {
	
	if (is_admin()) {
	
		header('Header-Example: Value 1', false);
		header('Header-Example: Value 2', false);
		header('Header-Example: Value 3', false);
	
	}
	
}
add_action('init', 'shapeSpace_add_headers');

Notice here we are passing false as the argument for the function’s replace parameter. So this example will add three new headers (and not replace any headers), each with their own value. For more information, check out the header() documentation.

Remove Headers

Last example, if you want to delete a header use the header_remove() function:

// Remove HTTP Header
function shapeSpace_remove_header() {
	
	if (is_admin()) header_remove('Header-Example');
	
}
add_action('init', 'shapeSpace_remove_header');

This technique will remove any header(s) named Header-Example. Again, as with previous examples, we are using is_admin() to make sure that only admin pages are affected.

Important!

Only modify HTTP headers (especially in the Admin Area) if you know 100% what you are doing. If in doubt, do not change any headers. If you are working on front-end pages, use the WordPress core hooks, wp_headers and send_headers instead of the above PHP headers() technique.

About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »

3 responses to “How to Modify HTTP Headers in the WordPress Admin Area”

  1. Jim S Smith 2019/06/19 7:26 pm

    THANK YOU!

    That was something I needed to know. I was looking for a way to remove certain headers when logged into WordPress, because the “X-XSS-Protection” header and also the “Content-Security-Policy” header were interfering with the normal operation of some of the JavaScripts in the Admin areas.

    THIS should do very nicely.

    Again,

    – THANK YOU!

    – Jim S.

  2. Jim S Smith 2019/07/02 7:58 pm

    Did some coding work on my solution to implement the CSP header, but found that if I had it already defined in an .htaccess or .conf file, I get TWO different copies of the CSP header! I tried many different ways to address this problem, even using the equivalents of “header_remove()” to remove the older generated CSP header – but to no avail.

    Therefore,

    I disabled the .htaccess and .conf definitions, and just used WordPress to generate the only needed copy of a CSP header.

    Also,

    I am in the process of submitting a suggested solution and sample coding of implementing the nonce=”” addition to WordPress’s generated inline scripts. In order to better secure a WordPress site, all of its inline JavaScript should use the nonce=”” attribute, but WordPress core does not yet support this. – I do believe I have a good solution to suggest to them, and even have some working code to demonstrate this. – This coding would make the nonce=”” generation user-selectable by the use of a new define:

    define( 'USE_CSP_HEADER', { true|false } );

    This would include a very good, flexible-length NONCE generator function specifically for generating SCRIPT_NONCE’s (encoded into a modified base64 format – with only the alpha-numerics used).

    Again,

    This would be submitted as a suggested coding patch/update to a few of WordPress’s core inline-script-generating functions.

    I feel this would help bring WordPress into line with new security headers standards.

    – Thank you for hearing me out! ;-)

    – Jim S. Smith

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
The Tao of WordPress: Master the art of WordPress.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.