Just installed my own WordPress plugin for setting HSTS and other security related headers (nosniff, and XSS protection) in WordPress. Plugin is still not quite ready for release into the world, but was inspired by the HSTS plugin for WordPress but alas that one is broken on recent copies of WordPress, and author is so far unresponsive.
Still somewhat uncomfortable with 100 lines of PHP to do what can be done in 4 lines of Apache config file, and there are some more ideas to steal from other security related plug-ins, before releasing it. Along with more testing to do.
However some of these headers rightfully belong to the application, rather than to the web server, since only the application knows if they can be set safely. Also the “header” call abstracts away any web server specific syntax for configuration. Most of the code is admin UI and validation of inputs, the actual meat of the work is done in 14 statements.
The rationale for doing this, is that with SNI (multiple secure sites behind the same IP addresses), and the rise of specialist WordPress hosting sites, it will become more sensible, and simpler to configure these application type settings within WordPress.
If the user settings API documentation wasn’t so arcane I might get a taste for writing WordPress plugins. Still not sure I’ve done it 100% right, only testing will tell.