=== HeaderShield ===
Contributors: vishwaliyanarachchi, vishvega, sbvi1122
Tags: security, headers, hsts, csp, hardening
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.14
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
Donate link: https://wordpress.org/support/plugin/headershield/

Add safe, modern HTTP security headers with optional strict cross-origin protections and a simple admin UI.

== Description ==

HeaderShield adds a conservative set of security headers that improve browser protection without breaking most sites. It also provides optional strict cross-origin protections for sites that are ready for them.

Default headers include:

* X-Frame-Options
* X-Content-Type-Options
* X-XSS-Protection (legacy)
* Referrer-Policy
* Permissions-Policy
* Content-Security-Policy (upgrade-insecure-requests)
* Strict-Transport-Security (HTTPS only)

Strict Mode can additionally enable COEP, COOP, and CORP for stronger isolation, but may break third‑party scripts or embeds. Use with care and test on staging first.

= Source code for third-party assets =

The admin UI uses SlimSelect for the multi-select dropdown. Human-readable source is included in the plugin:

* JavaScript: `assets/js/slimselect.js` (minified build: `assets/js/slimselect.min.js`)
* CSS: `assets/css/slimselect.css` (minified build: `assets/css/slimselect.min.css`)

Upstream project: https://github.com/brianvoe/slim-select (MIT). This plugin does not use a custom build process; the included files are from the published release.

== Installation ==

1. Upload the `headershield` plugin folder to `/wp-content/plugins/`, or install via **Plugins → Add New** and search for HeaderShield.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Go to **Security Headers** in the admin sidebar to configure settings.

= Optional: use as must-use plugin =

You can also copy the main plugin file into `/wp-content/mu-plugins/` so it is always active and cannot be disabled from the Plugins screen.

== Frequently Asked Questions ==

= Will this break my site? =

The default headers are conservative and should be safe for most sites. Strict Mode may break embeds, analytics, fonts, or CDNs, so test on staging first.

= Does this affect SEO? =

No. These headers improve browser security and do not affect SEO.

== Screenshots ==

1. Settings page.
2. User guide page.

== Upgrade Notice ==

= 1.0.14 =
Initial public release. Adds security headers with an admin UI and optional strict cross-origin protections.

== Changelog ==

= 1.0.14 =
* Initial public release.

