function add_security_headers() { header("Content-Security-Policy: upgrade-insecure-requests"); header("X-XSS-Protection: 1; mode=block"); header("X-Content-Type-Options: nosniff"); header("Referrer-Policy: strict-origin-when-cross-origin"); header("Permissions-Policy: geolocation=(), microphone=(), camera=()"); header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"); } add_action('send_headers', 'add_security_headers');