Setting (security) HTTP response headers

We’ve a looming requirement to set some security headers, things like content-security-policy and cache-control.

These feel like something that should be able to be generated by Wordpress itself, rather than our needing to manually figure out what it needs.

Is this something we can just enable in Kinsta somewhere? I haven’t yet found a likely-looking tickbox.

Failing that, can we get Kinsta to return manually-entered headers, or will we need to configure those downstream?


Hey @Avi_Greenbury welcome to Kinsta Community!
As these type of headers requires custom values, there’s no tickbox or tools in MyKinsta that will enable those for you.
However, our support can manually add some headers in Nginx upon request, but the user will need to share which headers and values to add.

Feel free to start a support request via chat in MyKinsta whenever you know the values and headers you would like to add.


Hi, @Alessandro .

I have also security HTTP response header issues here.
I should like to test the new header value on my DevKinsta beforehand.
It’s because asking your support team takes time via help chat / email.

I am using DevKinsta on Windows 10. It seems it’s running on wsl.
I can see


In the directory, a config file is settled, whose name is [sitename].conf.

Inside the config file is as follows;

server {
  set $site_name prod01;
  set $php_path devkinsta_fpm:9004;

  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  ssl_certificate /www/kinsta/ssl/prod01.local.crt;
  ssl_certificate_key /www/kinsta/ssl/prod01.local.key;

  server_name  prod01.local *.prod01.local;
  access_log   /www/kinsta/logs/prod01_access.log main;
  error_log    /www/kinsta/logs/prod01_error.log;

  root /www/kinsta/public/prod01;
  index index.php index.html;

  include multisite_subdir.conf;

  location / {
      try_files $uri $uri/ /index.php?$args;

  location ~ \.php$ {
      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
      if (!-f $document_root$fastcgi_script_name) {
        return 404;
      include fastcgi_params;
      fastcgi_param PHP_ADMIN_VALUE "sendmail_from=devkinsta@prod01.local";
      fastcgi_intercept_errors on;
      fastcgi_pass $php_path;
      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;

Would you please tell me how to test my [security] HTTP response headers on this situation?

Hello @miyazawa_k :wave:

Welcome to the Kinsta Community!

You can easily edit the Nginx configuration within the Devkinsta User Interface. To do this, simply navigate to your local site, click on the wrench icon in the left panel, and scroll down to the “Nginx Editor” section.

You can add any custom HTTP headers inside the server location. Once you’ve made the necessary changes, don’t forget to click on “Save Changes” to reload the Nginx service. Please refer to the sample screenshot below for a visual guide.

I hope you find this information helpful. :slightly_smiling_face:

1 Like

Dear @Adrian_L ,

Thank you very much for your reply!

I confirmed that the changes I added on “NGINX Editor” reflects immediately to the content of the file


and the change reflects to the site response as I restart the site.

I appreciate your swift and accurate direction.

1 Like

Hi @miyazawa_k ! Glad to hear that worked for you.

Please do let us know if you have any other questions as well.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.