https://perishablepress.com/modify-http-headers-wordpress-admin-area/
WordPress provides the wp_headers filter hook and send_headers action hook to add and modify HTTP requests. For front-end pages, these are ideal hooks that should be used whenever possible. Unfortunately however neither hook works on all pages in the WordPress Admin Area. After some experimentation, I found an easy solution to modify HTTP headers on any/all pages in the Admin Area.
wp_headers = Doesn’t Work in the Admin Area
At WP-Mix.com, I posted a tutorial about how to Disable the Chrome XSS Auditor. The code provided in the original version of the tutorial used wp_headers to add the XSS header:
// Add HTTP XSS Header
function shapeSpace_add_xss_header() {
$headers['X-XSS-Protection'] = '0';
return $headers;
}
add_filter('wp_headers', 'shapeSpace_add_xss_header');But as JanWillem pointed out, it doesn’t work in the Admin Area. It does work on Posts, Pages, and other CPT screens, but nowhere else. Possibly because CPT pages utilize the WordPress Loop and thus the wp_headers hook is fired. Regardless, neither wp_headers nor send_headers works on ALL pages/requests in the Admin Area. Fortunately, there is a solution..
Add/Modify/Remove Headers in the Admin Area
The easiest way to add or modify a header for ANY/ALL WP-generated pages, including all pages in the WordPress Admin Area and frontend, is to call the PHP headers() function using the WP init hook. Here are some basic examples showing how it’s done.
Note: these examples limit header modification to admin pages only. To modify headers for front-end requests, it is recommended to use wp_headers or send_headers instead.
Add Headers
To add, say, an XSS header in both the Admin Area and the frontend (i.e., everywhere), we can add the following code to functions.php or via plugin.
// Add HTTP Header
function shapeSpace_add_header() {
if (is_admin()) header('X-XSS-Protection: 0');
}
add_action('init', 'shapeSpace_add_header');So simple it hurts. This technique uses the WordPress function, is_admin() to check if the request is for any page in the WP Admin Area. If so, the XSS header is added via the headers() function. Further conditional logic may be applied to target only specific pages. For an example, check out the WP-Mix tutorial, Disable the Chrome XSS Auditor.
Modify Headers
By default, the headers() function replaces any existing header of the same name. Consider this example:
// Modify HTTP Header
function shapeSpace_modify_header() {
if (is_admin()) header('Example-Header: Value');
}
add_action('init', 'shapeSpace_modify_header');If the Example-Header header already exists, its value will be replaced by Value. So this technique can be used to either add a new header (if it does not already exist), or can be used to modify a header (if it does already exist).
Add Multiple Headers
To add multiple headers that have the same name, we can pass a second argument to the headers() function like so:
// Add Multiple HTTP Headers
function shapeSpace_add_headers() {
if (is_admin()) {
header('Header-Example: Value 1', false);
header('Header-Example: Value 2', false);
header('Header-Example: Value 3', false);
}
}
add_action('init', 'shapeSpace_add_headers');Notice here we are passing false as the argument for the function’s replace parameter. So this example will add three new headers (and not replace any headers), each with their own value. For more information, check out the header() documentation.
Remove Headers
Last example, if you want to delete a header use the header_remove() function:
// Remove HTTP Header
function shapeSpace_remove_header() {
if (is_admin()) header_remove('Header-Example');
}
add_action('init', 'shapeSpace_remove_header');This technique will remove any header(s) named Header-Example. Again, as with previous examples, we are using is_admin() to make sure that only admin pages are affected.
Important!
Only modify HTTP headers (especially in the Admin Area) if you know 100% what you are doing. If in doubt, do not change any headers. If you are working on front-end pages, use the WordPress core hooks, wp_headers and send_headers instead of the above PHP headers() technique.
Source: Security Feed