HTTP Header Diagnosis

24 items scanned.
Know exactly where you stand.

Analyze HTTP response headers across 24 security items — security headers, CORS, cookies, and WordPress-specific checks. Get actionable recommendations in one click, for free.

Get Started SentinelSecurity Overview
HTTP Header Diagnosis results screen

Why HTTP Header Diagnosis?

Most WordPress sites score F
on security header checks.

HTTP security headers tell browsers how to handle your content — blocking XSS, preventing clickjacking, and enforcing HTTPS. A single free scan reveals every misconfiguration across 24 security items, with actionable fixes.

F Grade
Grade most WordPress sites receive on securityheaders.com public scanner
24 Items
Headers, CORS, Cookie flags & WordPress-specific checks analyzed per scan
Free
Complete header audit with actionable recommendations, at no cost
HTTP Response Headers
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: Not Set
Referrer-Policy: Not Set
Scan complete: 3/5 headers configured
XSS Blocked
MITM Blocked
The Hidden Problem

Why Are So Many Sites
Left Unconfigured?

Invisible to Users

HTTP headers are exchanged between browser and server, invisible to regular users.

Complex Configuration

Requires editing server configuration files, demanding technical knowledge.

Lack of Risk Awareness

Often neglected with the reasoning "there have been no issues so far."

With SentinelSecurity

Diagnose with one click and instantly understand what's missing.

What we check

Every header, mapped to a real-world threat.

SentinelSecurity inspects 24 HTTP response headers and cookie attributes. Rather than show you a wall of acronyms, we group each item by the attack it actually prevents — so you know exactly why it matters.

24 items inspected across 6 threat categories

01

Block injected scripts and forced HTTP downgrades

These two headers are the foundation of modern web security. Together they stop attackers from injecting malicious scripts into your pages and from intercepting traffic by downgrading visitors to HTTP.

  • Content-Security-Policy

    Tells the browser exactly which scripts are allowed to run, blocking any script an attacker tries to inject.

  • Strict-Transport-Security

    Forces every visit to use HTTPS, preventing the “downgrade to HTTP” trick used on public Wi-Fi attacks.

02

Stop your site from being framed or impersonated

Without these two headers, a malicious site can load yours inside an invisible frame to steal clicks (clickjacking) or trick the browser into treating uploaded files as executable code.

  • X-Frame-Options

    サイトが他サイトのiframeに埋め込まれるのを防ぎます — クリックジャッキング対策の標準手法です。

  • X-Content-Type-Options

    ブラウザがファイルの種類を「推測」するのを防ぎます — アップロードファイルをJavaScriptとして実行させる手口への対策です。

03

Limit what your visitors’ browsers leak to others

Modern browsers expose a surprising amount: referrer URLs, camera and microphone access, even hardware timing data. These seven headers tell the browser to keep that information private and isolated.

  • Referrer-Policy

    Hides sensitive URL parameters when visitors click a link to an external site.

  • Permissions-Policy

    Disables camera, microphone, GPS and other sensors that your site does not legitimately need.

  • Cross-Origin-Embedder-Policy

    Blocks embedded resources from leaking memory through Spectre-style side-channel attacks.

  • Cross-Origin-Opener-Policy

    Isolates browser tabs so a malicious popup cannot read data from your site.

  • Cross-Origin-Resource-Policy

    Stops other websites from loading your images, scripts or data without permission.

  • X-Permitted-Cross-Domain-Policies

    Closes the legacy Adobe Flash / PDF cross-domain hole that still affects older clients.

  • Clear-Site-Data

    Wipes cookies, cache and local storage on logout so the next user does not inherit a session.

04

Protect login sessions from being stolen

Most account-takeovers start with a stolen session cookie. Three small flags decide whether the cookie survives an XSS attack, a CSRF, or being read off public Wi-Fi.

  • Cookie · Secure

    Cookies are sent only over HTTPS — never in plain text where a network sniffer could grab them.

  • Cookie · HttpOnly

    Hides the cookie from JavaScript, so even a successful XSS injection cannot read it.

  • Cookie · SameSite

    Prevents the browser from attaching the cookie to requests coming from other sites — the core CSRF defence.

05

Keep cross-origin API access tightly scoped

CORS controls who can call your endpoints from a browser. A misconfiguration here is one of the most common causes of API data leaks — SentinelSecurity verifies all three relevant headers.

  • Access-Control-Allow-Origin

    Defines exactly which other domains may read responses from your API.

  • Access-Control-Allow-Methods

    Limits the HTTP verbs (GET, POST, DELETE …) external sites are allowed to use.

  • Access-Control-Allow-Headers

    Restricts which custom request headers can be sent from another origin.

06

Remove headers that leak that you run WordPress

Attackers start by figuring out what software you run. WordPress (and many hosts) advertise themselves through these headers — quiet wins by removing or replacing them. We also flag three legacy headers that no longer help and may even cause harm.

  • X-Pingback

    Reveals XML-RPC, which is routinely abused for brute-force and DDoS amplification.

  • Link (REST API)

    Auto-discovers your /wp-json/ endpoint, which is a well-known starting point for user enumeration.

  • X-Powered-By

    Leaks your exact PHP version — a free shopping list for known-CVE exploits.

  • Server

    Same idea for your web server (nginx / Apache / LiteSpeed) and its version.

  • X-XSS-Protection · Expect-CT · Public-Key-Pins

    Three deprecated headers that modern browsers ignore — and that can break your site if mis-configured. SentinelSecurity suggests removing them.

Other Features

Explore Other SentinelSecurity Features

SentinelSecurity covers every security aspect of your WordPress site — from vulnerability scanning to file monitoring and email notifications.

Login Security

Multi-layer protection for your WordPress login. IP lockout, 2FA, and CAPTCHA to stop attackers before they get in.

Learn more

REST API Diagnosis

Check WordPress REST API security across 18 items. Identify information exposure risks before attackers find them.

Learn more

API Protection

REST API rate limiting and user enumeration prevention to block API-based information leaks and abuse.

Learn more

Vulnerability Assessment

Check WordPress configuration, software versions, and file permissions for security risks. Get a risk score in one click.

Learn more

File Integrity Monitoring

Detect file additions, changes, and deletions across WordPress directories. Instant alerts for unauthorized modifications.

Learn more

Security Header Settings

Easy GUI setup for CSP, HSTS, and other security headers. Smart scan auto-generates optimal settings.

Learn more

Email Notification Settings

Fully customizable notifications for login events, file changes, and vulnerability discoveries. White-label ready.

Learn more
View All SentinelSecurity Features

Understand Your Security Status
with HTTP Header Diagnosis.

Protect your WordPress site with SentinelSecurity's comprehensive security features.

See Plans