=== Fix It Easy Security Headers ===
Contributors: wpfixit
Donate link: https://www.wpfixit.com
Tags: security, headers, csp, hsts, referrer-policy
Requires at least: 5.8
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Configure core HTTP security headers for your WordPress site in a few clicks.

== Description ==

**WP Fix It Easy Security Headers** adds a simple page under **Tools → Security Headers** where you can toggle common HTTP security headers:

- **Strict-Transport-Security (HSTS)**
- **Content-Security-Policy (CSP)**
- **X-Frame-Options**
- **X-Content-Type-Options**
- **Referrer-Policy**
- **Permissions-Policy**

On activation, all headers are **enabled by default** and you’re redirected to the settings screen.

For convenience, the page and the Plugins screen include a **“Check Headers”** button that opens SecurityHeaders.com with your site’s URL prefilled (built dynamically from `home_url()`).

### Notes on CSP
This plugin ships with a **permissive** default CSP intended to “work everywhere” out of the box (allows most external sources and inline code). For stronger protection, you should harden the directives for your specific site.

### Key Features
- One-click toggles for popular headers
- Dynamic “Check Headers” scan link
- Uses the WordPress Settings API (nonce + capability checks)
- Output escaping and sanitization following PHPCS

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/fix-it-easy-security-headers/` or install via Plugins → Add New.
2. Activate the plugin.
3. You’ll be redirected to **Tools → Security Headers**. Review and adjust toggles as needed.
4. (Optional) Click **Check Headers** to verify your headers on SecurityHeaders.com.

== Frequently Asked Questions ==

= Where do I manage the settings? =
Go to **Tools → Security Headers**.

= What happens on activation? =
All header options are enabled and you’re redirected once to the settings page.

= Will this break my site? =
Most headers are safe defaults. The provided CSP is intentionally permissive; it shouldn’t block assets. For strict CSPs, tailor directives to your stack and test.

= Can I use this on multisite? =
Yes. The “Check Headers” URL is derived from `home_url()`. Activation redirect is skipped for network/bulk activations.

= Why don’t I see a “Settings saved” notice twice? =
The page prints only this plugin’s scoped settings messages to avoid duplicate notices.

= Can I customize the CSP? =
Yes. You can modify the `$csp` string in `security_headers_add_headers()` to fit your site’s needs.

== Screenshots ==

1. Settings screen with header toggles and “Check Headers” button.

== Changelog ==

= 1.1 =
* Initial release.
* Header toggles for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
* Activation enables all options and redirects to settings.
* Dynamic SecurityHeaders.com scan link.

== Upgrade Notice ==

= 1.0 =
First release. After updating, review **Tools → Security Headers** to confirm your preferred settings.