Does WordPress add security headers?

WordPress does not add security headers by default. The default installation sends minimal HTTP headers, missing critical protections like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy. Some security plugins like Wordfence or iThemes Security can add basic headers, but comprehensive CSP configuration usually requires manual setup through your .htaccess file, nginx configuration, or a dedicated headers plugin. Managed WordPress hosts like WP Engine or Kinsta may add some headers at the server level. UNPWNED checks your WordPress site for all recommended security headers.