A practical guide to adding HTTP security headers to your WordPress site using .htaccess, nginx config, and PHP. Covers Content Security Policy (CSP) without breaking Gutenberg, HSTS with preload submission, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — plus how to test with securityheaders.com and Mozilla Observatory.