esc_url() and Wordpress Security?
The escape functions serve to protect against attacks and weird characters. Some of the things the functions do is remove invalid characters, remove dangerous characters, and encode characters as HTML entities.
The problem is that untrusted data comes from not just users, but could come from things saved in your own database.
As a general rule, it is good to use the escape functions when any part of the URL is not generated by Wordpress functions. If the entire URL is generated only by Wordpress functions then the escape functions are not necessary.
For example, if you wanted to print the URL and add a query string like this
<?php echo get_permalink() . '?order=time' ?>you should be in the habit of using an escape function because you typed some of the actual URL.
<?php echo esc_url(get_permalink() . '?order=time') ?>Still, it would be better to use the add_query_string function like this
<?php echo add_query_arg('order', 'time', get_permalink()) ?>In this second example, you would not need an escape function because the URL is generated entirely by Wordpress functions.
In your example in the question, the escape function is not necessary in the header.php file. The person who wrote that code was probably just in the habit of doing it and it is ok to put there even when it is not needed.
A good place to start reading about data validation would be on the Wordpress codex: https://codex.wordpress.org/Data_Validation
You need to use the wordpress escape function for any user inserted content, not necesary for wordpress function. But in plugins, template, forms or stuff like this you need to use the escape functions.
You need to use the wordpress escape functions for any user insert content as John says ..
Have a look at the link i provided to know about wordpress escape functions..
http://codeseekah.com/2012/03/13/wordpress-escape-functions/