HeaderShield adds a conservative set of security headers that improve browser protection without breaking most sites. It also provides optional strict cross-origin protections for sites that are ready for them.
Default headers include:
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection (legacy)
- Referrer-Policy
- Permissions-Policy
- Content-Security-Policy (upgrade-insecure-requests)
- Strict-Transport-Security (HTTPS only)
Strict Mode can additionally enable COEP, COOP, and CORP for stronger isolation, but may break third‑party scripts or embeds. Use with care and test on staging first.
Source code for third-party assets
The admin UI uses SlimSelect for the multi-select dropdown. Human-readable source is included in the plugin:
- JavaScript:
assets/js/slimselect.js(minified build:assets/js/slimselect.min.js) - CSS:
assets/css/slimselect.css(minified build:assets/css/slimselect.min.css)
Upstream project: https://github.com/brianvoe/slim-select (MIT). This plugin does not use a custom build process; the included files are from the published release.