Skip to main content
How Can We Help?
< All Topics
Print

Browser Security Overview

Posted
Updated
Byadmin

Description

The Transport & Browser Security section is used to harden how browsers connect to and interact with the site. It brings together HTTPS enforcement, Content Security Policy, browser security headers, cross-origin isolation controls, and advanced CORS settings in one place.

These controls are designed to reduce browser-side exposure by enforcing encrypted transport, limiting what content browsers may load, restricting framing and browser features, and controlling how other origins interact with the site. Administrators should apply the controls in a staged way and test carefully after each change.

Section components

This section includes the following grouped control areas:

  1. HTTPS & Transport for redirecting front-end and admin traffic to HTTPS through a must-use plugin.
  2. Content Security Policy (CSP) for enabling CSP, choosing scope for front-end and or admin pages, selecting presets, and configuring directive values.
  3. Browser Security Headers for sending headers such as X-Content-Type-OptionsX-Frame-OptionsReferrer-PolicyPermissions-Policy, and Strict-Transport-Security (HSTS).
  4. COOP, CORP & COEP for cross-origin isolation controls that affect browser context and resource loading behavior.
  5. Advanced: CORS for defining whether trusted external origins may call the site and, if so, under what origin, method, header, and preflight rules.

Recommended rollout approach

A practical rollout starts with HTTPS enforcement after confirming that TLS is already working correctly for the site. Once transport is stable, the next step is usually to enable selected browser security headers and then add CSP carefully, beginning with the least disruptive settings that match the site’s dependencies.

Cross-origin isolation headers and advanced CORS settings should be treated as more sensitive changes because they can affect embeds, popups, third-party resources, and application integrations. These settings should be enabled only after reviewing site dependencies and validating that required cross-origin behavior still works.

Validation

After saving changes in this section, test both front-end and WordPress admin behavior. Validation should include checking that HTTP requests redirect to HTTPS when enabled, confirming intended headers are present in browser or proxy responses, and verifying that scripts, styles, embeds, APIs, and trusted external integrations continue to work as expected.

Table of Contents