Security Header Settings

Configure 24 headers.
Deploy without breaking a thing.

Set up CSP, HSTS, and 22 more security headers through an intuitive GUI. Smart scan auto-generates optimal settings — deploy confidently without breaking your site.

Get Started SentinelSecurity Overview
Security Header Settings screen

Why Security Headers?

95% of sites ship with
no Content-Security-Policy.

Security headers are your browser-level shield against XSS, clickjacking, and data injection. Yet the vast majority of WordPress sites run with none configured — leaving browsers with nothing to enforce.

95%+
of websites lack a valid Content-Security-Policy (securityheaders.com data)
24 Headers
Configurable security directives via SentinelSecurity GUI
Auto-CSP
Smart Scanner generates an optimal CSP policy from your live page resources
スマートスキャン

Scans your plugins and theme — builds the CSP allowlist automatically.

Every plugin that loads Google Fonts, Stripe, or GTM needs to be explicitly listed in CSP. Smart Scanner reads your plugin and theme source files to find every external domain they use — so you don't have to hunt them down manually.

1

Scan all active plugins and themes

One button starts the scan. Smart Scanner reads the source files of every active plugin and theme, detecting all external domains they reference — Google Fonts, Stripe, GTM, analytics services, and more.

2

Sort each domain by purpose

Each detected domain is automatically placed in the right category — scripts, fonts, images, and more. You can see exactly which plugin needs which domain.

3

Review the list and apply

Toggle off any domain you don't recognize, then save. SentinelSecurity applies the CSP policy to every page on your site instantly.

6 Categories · 24 Settings

Configure every header from a single screen.

No server access required. All 24 settings are available through a GUI — toggle on, pick a preset, or enter a custom value. Each setting is grouped by the threat it addresses.

Content-Security-Policy — the hardest header, and the most important

CSP enforces an allowlist for every resource your site loads.

CSP tells the browser which scripts, fonts, and third-party widgets are allowed to load. Every plugin you use — Google Fonts, GTM, Stripe, reCAPTCHA — must be explicitly listed.

Miss one and that part of your site goes silent. SentinelSecurity removes the guesswork with two dedicated tools.

Smart Scanner

Reads your plugin and theme source files and builds the allowlist automatically.

Learning Mode

Catches anything Smart Scanner missed — before CSP blocks anything.

Content-Security-Policy settings screen
Essential Headers
Content-Security-Policy Smart Scanner Strict-Transport-Security X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-Policy

The non-negotiable starting point. Covers script injection, forced HTTPS, clickjacking, MIME confusion, referrer leaks, and device API misuse.

Cross-Origin Isolation
Cross-Origin-Embedder-Policy Cross-Origin-Opener-Policy Cross-Origin-Resource-Policy X-Permitted-Cross-Domain-Policies Clear-Site-Data

Isolates your page at the OS memory level. Protects against Spectre-style attacks, cross-origin window access, and resource hotlinking.

Cookie Security
Cookie · Secure Cookie · HttpOnly Cookie · SameSite

Three flags that decide whether a session cookie survives a network sniff, XSS theft, or a cross-site request forgery.

CORS Control
Access-Control-Allow-Origin Access-Control-Allow-Methods Access-Control-Allow-Headers

Defines which external domains can read your API responses. A wildcard here is one of the most common causes of API data leaks.

WordPress Fingerprint
X-Pingback Link (REST API) X-Powered-By Server

WordPress advertises your stack by default. Removing these cuts off the free inventory of endpoints and version numbers attackers rely on.

Deprecated — Remove
X-XSS-Protection Expect-CT Public-Key-Pins

Three legacy headers modern browsers ignore — or in the case of X-XSS-Protection, can actively exploit. SentinelSecurity flags all three for removal.

学習モード

Investigate safely — without stopping your site.

Learning Mode activates CSP in Report-Only mode — nothing is blocked while your site runs normally.

Browsers collect every resource that would have been blocked, and SentinelSecurity lists them for review. Approve what belongs, skip what doesn't.

When you're ready, activate full blocking — no broken pages, no unexpected failures.

  • Runs in Report-Only mode — nothing is blocked while monitoring
  • Collects real browser violation reports in real time
  • Add missed domains to allowlist with one click
  • Keeps working after enforcement — detects new plugins automatically
Learning Mode — CSP violation report screen

Related Feature

Combine with "HTTP Header Diagnosis" for Greater Security

Apply headers with Security Header Settings, then verify correct configuration with HTTP Header Diagnosis. Ensure security through both configuration and verification.

View HTTP Header Diagnosis

Other Features

Explore Other SentinelSecurity Features

SentinelSecurity covers every security aspect of your WordPress site — from vulnerability scanning to file monitoring and email notifications.

Login Security

Multi-layer protection for your WordPress login. IP lockout, 2FA, and CAPTCHA to stop attackers before they get in.

Learn more

HTTP Header Diagnosis

Diagnose security header configuration and get actionable recommendations to fix missing or misconfigured headers.

Learn more

REST API Diagnosis

Check WordPress REST API security across 18 items. Identify information exposure risks before attackers find them.

Learn more

API Protection

REST API rate limiting and user enumeration prevention to block API-based information leaks and abuse.

Learn more

Vulnerability Assessment

Check WordPress configuration, software versions, and file permissions for security risks. Get a risk score in one click.

Learn more

File Integrity Monitoring

Detect file additions, changes, and deletions across WordPress directories. Instant alerts for unauthorized modifications.

Learn more

Email Notification Settings

Fully customizable notifications for login events, file changes, and vulnerability discoveries. White-label ready.

Learn more
View All SentinelSecurity Features

Strengthen Your Site
with Security Headers.

Protect your WordPress site with SentinelSecurity's comprehensive security features.

See Plans