Documents / Sentinel Security / Features

Security Header Settings

Published: 2026.03.18 Updated: 2026.06.23 As of v1.7.5

Security Header Settings

Security Header Settings allows you to configure HTTP security headers directly from the admin dashboard.

Why Dashboard-Based Configuration Matters

Traditionally, configuring security headers required directly editing server configuration files (.htaccess or nginx.conf). This presents several challenges:

  • Server administration knowledge is required
  • Configuration mistakes can take the entire site down
  • CSP configuration is complex — a single error can prevent the site from displaying correctly
  • Shared hosting environments may restrict configuration access
SentinelSecurity's Security Header Settings enables safe header deployment through a GUI interface, with Smart Scan and Learning Mode to verify the impact before enforcement.

Configurable Headers (10 Types)

Primary Headers

HeaderFunctionRecommendation
Content-Security-Policy (CSP)Control scripts/styles/images and other resourcesRequired
Strict-Transport-Security (HSTS)Enforce HTTPSRequired
X-Content-Type-OptionsPrevent MIME sniffingRequired
X-Frame-OptionsPrevent clickjackingRequired
Referrer-PolicyControl referrer informationRecommended
Permissions-PolicyRestrict browser APIsRecommended
X-XSS-ProtectionLegacy XSS filterOptional

WordPress-Specific Removal Settings

SettingTargetEffect
Remove X-Powered-ByPHP version infoHide server information
Remove Server headerWeb server infoHide server type

Security Levels (Presets)

Three presets are available to simplify the deployment of complex header configurations.

LevelContentsTarget Audience
BasicMinimum headers (HSTS, X-Content-Type-Options, X-Frame-Options)First-time users
StandardBasic + CSP (report mode), Referrer-PolicyRecommended for most sites
StrictAll headers with full policies appliedSecurity-focused sites

Site Protection (Recommended CSP Workflow)

Since version 1.7.0, CSP deployment and management are unified in the Site Protection screen, which is enabled by default. Instead of operating Smart Scan and learning separately, you simply follow the state shown on screen to apply CSP safely.

State Flow

  1. Monitoring — Automatically collects the external services your site uses (Smart Scan plus learning from real traffic).
  2. Needs Review — Decide Allow or Block for newly discovered services. You can also act in bulk with Allow All / Block All.
  3. Protected — Generates and applies the CSP from your allowed services. If you change a decision later, use Re-apply protection to update it.

Helpful Features

  • Service grouping: Providers that use many subdomains (Google Fonts, Google APIs, Cloudflare, etc.) are grouped into a single service (wildcard), keeping the allow list short and readable.
  • Caller visibility: See which plugin or theme loads each service.
  • Reset learning data: Delete all collected decisions and history to start over — useful when unneeded data piles up. After a reset, no automatic rescan runs and the list starts empty.

The Smart Scan, Learning Mode, and CSP Violation Log sections below describe the mechanisms that power Site Protection. They are provided as reference if you prefer the individual screens.

Smart Scan

Smart Scan automatically scans the resources used on your site (scripts, stylesheets, images, fonts, etc.) before applying CSP headers, and generates an appropriate CSP policy.

How to Use

  1. Navigate to Security Header SettingsCSP section
  2. Click the Smart Scan button
  3. Each page of your site is scanned, and resource origins are listed
  4. Select Allow or Deny for each origin as needed
  5. Click Generate Policy
Smart Scan prevents the common issue of "the site stopped displaying" that often occurs when deploying CSP.

Learning Mode (CSP Report-Only)

CSP Learning Mode does not actually block resources — it only logs resources that would violate the policy in a report.

Deployment Steps

  1. Set CSP Mode to Report-Only (Learning)
  2. Operate the site for 1–2 weeks while collecting violation reports
  3. Review the CSP Violation Log to see which resources would have been blocked
  4. Add legitimate resources to the policy; exclude malicious ones
  5. Once violations have sufficiently decreased, switch to Enforce mode

CSP Violation Log

The CSP Violation Log in the admin dashboard displays:

  • Violated Directive: script-src, style-src, etc.
  • Blocked URI: The resource URL
  • Page URL: The page where the violation occurred
  • Occurrence Count: Aggregated count of identical violations
  • Date/Time: Most recent occurrence

.htaccess Security

In Apache environments, a feature is available that outputs security headers directly to .htaccess. Since headers are set at the server level rather than the PHP level, they also apply to static files (images, CSS, JS).

Test Mode / Production Mode

ModeBehavior
Test ModeOutput to .htaccess.test for preview. No impact on production
Production ModeWrite directly to .htaccess. Takes effect immediately
Recommended: First verify settings in Test Mode, then switch to Production Mode once confirmed.

CSP Operation Tips in .htaccess Production Mode

  • When ending Learning Mode, apply required domains from violation logs to your CSP directives
  • Save settings after changes so .htaccess is regenerated with the latest rules
  • If .htaccess is not writable, policy updates may not be applied
  • Verify behavior in browser devtools (console/network) before and after switching to Enforce

Notes

  • Incorrect CSP settings can prevent your site's scripts and styles from loading. Always start with Learning Mode
  • If you disable SSL after enabling HSTS, browsers will be unable to access your site
  • Creating a backup of .htaccess before making changes is recommended