HTTP Header Diagnosis
HTTP Header Diagnosis analyzes your site's response headers and scores them for security issues.
Why HTTP Header Diagnosis Is Necessary
HTTP headers returned by the web server contain security instructions for the browser. Without proper headers, the following risks arise:
- XSS (Cross-Site Scripting): Without
Content-Security-Policy, malicious scripts may be injected - Clickjacking: Without
X-Frame-Options, your site could be embedded in an iframe to trick users - MIME Sniffing: Without
X-Content-Type-Options, the browser may misinterpret file types - Session Hijacking: Without
Secure/HttpOnlyflags on cookies, session data could be stolen
Diagnostic Items
Security Headers (7 items)
| Header | Purpose | Importance |
|---|---|---|
| Strict-Transport-Security (HSTS) | Enforce HTTPS connections | ◎ High |
| Content-Security-Policy (CSP) | Restrict resource loading | ◎ High |
| X-Content-Type-Options | Prevent MIME sniffing | ○ Medium |
| X-Frame-Options | Prevent clickjacking | ○ Medium |
| X-XSS-Protection | Browser XSS filter | △ Low |
| Referrer-Policy | Control referrer information | ○ Medium |
| Permissions-Policy | Restrict browser APIs (camera, etc.) | ○ Medium |
Cookie Settings (5 items)
| Check Item | Purpose |
|---|---|
| Secure Flag | Send cookies only over HTTPS |
| HttpOnly Flag | Prevent JavaScript access to cookies |
| SameSite Attribute | Prevent CSRF attacks |
| Path Attribute | Limit the effective cookie path |
| Expiration | Appropriate session cookie expiration |
WordPress-Specific Headers (4 items)
| Check Item | Purpose |
|---|---|
| X-Powered-By | Check for PHP version exposure |
| Server | Check for web server information exposure |
| X-Generator | Check for WordPress version exposure |
| X-Pingback | Check for XML-RPC Pingback exposure |
Scoring Method
Each diagnostic item has an assigned weight, and a score is calculated on a 100-point scale.
Score Evaluation Criteria
| Score | Rating | Icon |
|---|---|---|
| 90–100 | Excellent | 🟢 |
| 70–89 | Good | 🟡 |
| 50–69 | Needs Improvement | 🟠 |
| 0–49 | Critical | 🔴 |
Running the Diagnosis
- Navigate to SentinelSecurity → HTTP Security Headers
- Click the Run Diagnosis button
- Results are displayed in card format
- Status: ✅ Configured / ⚠️ Not Set / ❌ Issue Found
- Current Value: The detected header value
- Recommended Setting: Security best practice
- Explanation: Why the setting matters
Using Diagnosis Results
Items shown as "Not Set" or "Issue Found" can be resolved using the following methods:
Free Version
- Manually configure headers in your server's
.htaccessornginx.conf - Use a WordPress security plugin with header configuration capabilities
Pro Version
With SentinelSecurity Pro's Security Header Settings feature, you can configure headers directly from the admin dashboard. Use the Fix button on each diagnosis result to apply recommended settings with a single click.
Regular Diagnosis Recommendations
We recommend re-running the diagnosis at the following times:
- After WordPress major updates
- After adding or changing plugins and themes
- After server configuration changes
- After SSL certificate renewal