HTTP Headers Analyzer
Key Response Headers
WordPress Fingerprinting
Security & Privacy Score
What Are HTTP Response Headers & Why Do They Matter?
Every time a browser requests a webpage, the server responds with HTTP headers \u2014 invisible metadata that controls how your content is displayed, cached, and secured. Think of them as the “packing slip” that accompanies every package delivered to your visitors.
Most WordPress site owners never check their headers. This is a mistake. Poorly configured headers can:
- Expose security vulnerabilities \u2014 Missing HSTS, CSP, or X-Frame-Options headers leave your site open to attacks like clickjacking, XSS, and man-in-the-middle interception.
- Hurt page speed \u2014 Without proper Cache-Control or Expires headers, browsers re-download the same resources on every visit, wasting bandwidth and increasing load times.
- Reveal sensitive information \u2014 Your server type (nginx/Apache), WordPress version number, and plugin details can leak through headers, giving attackers a roadmap.
This free HTTP Headers Analyzer is purpose-built for WordPress sites. Enter any URL above to instantly check 14+ critical response headers, detect WordPress fingerprinting risks, and receive an actionable security score \u2014 all in under 3 seconds.
What Does This HTTP Headers Checker Analyze?
Key Response Headers
Inspects 14+ critical headers including Server, Cache-Control, Security headers (HSTS, X-Frame-Options, CSP), and more.
WordPress Fingerprinting
Detects exposed WP version, REST API endpoints, XML-RPC, oEmbed, Emoji scripts, Google Fonts, Dashicons, RSS feeds, and more.
Security Score
Calculates an A-F grade based on header configuration. Shows passes, warnings, and actionable issues at a glance.
\u00a0
WordPress Security Headers: Complete Guide
Security response headers are your first line of defense against common web attacks. Here’s what each one does and how to configure it for WordPress.
Strict-Transport-Security (HSTS)
What it does: Forces browsers to use HTTPS exclusively for your domain, preventing protocol downgrade attacks and cookie hijacking.
Recommended value:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
How to add in WordPress:
- Use a plugin like Really Simple SSL or WP Rocket (both add it automatically with HTTPS enabled).
- Add to your Nginx config:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - Apache: add to
.htaccess:Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Frame-Options
What it does: Prevents your site from being embedded in iframes on other domains, protecting against clickjacking attacks.
Recommended values:
SAMEORIGIN\u2014 Allows framing by same-origin pages only (recommended for most sites)DENY\u2014 Prevents all framing (most restrictive)
WordPress implementation:
// Add to functions.php or use a code snippets plugin
add_action( 'send_headers', function() {
header( 'X-Frame-Options: SAMEORIGIN' );
} );
Pro tip: Use Perfmatters to toggle this with one click \u2014 no code needed.
X-Content-Type-Options: nosniff
What it does: Tells browsers not to “sniff” or guess the content type of a file beyond the declared MIME type. Prevents MIME-type sniffing attacks.
Recommended value: X-Content-Type-Options: nosniff
Nginx: add_header X-Content-Type-Options "nosniff" always;
.htaccess (Apache): Header set X-Content-Type-Options "nosniff"
Content-Security-Policy (CSP)
What it does: A powerful whitelist that controls which resources the browser is allowed to load. The single most effective header against Cross-Site Scripting (XSS) attacks.
Basic example for WordPress:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.wp.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; frame-src 'self' https://www.youtube.com;
Warning: A misconfigured CSP can break your site. Start with Content-Security-Policy-Report-Only mode to test before enforcing.
Referrer-Policy
What it does: Controls how much referrer information is sent when users click links leaving your site.
Recommended value: Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
What it does: Controls which browser features (camera, microphone, geolocation) your site can access.
Recommended for most WordPress sites:
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Cache-Control & Browser Caching: Speed Up Your WordPress Site
Proper caching headers are the #1 easiest way to improve your PageSpeed score and reduce server load.
Cache-Control vs Expires: Which Should You Use?
| Aspect | Cache-Control | Expires |
|---|---|---|
| Type | Relative (max-age in seconds) | Absolute (specific date/time) |
| Standard | HTTP/1.1 (modern) | HTTP/1.0 (legacy) |
| Flexibility | High \u2014 works with CDN | Low \u2014 exact date calculation |
| Use Cache-Control as primary. Set both for maximum compatibility. | ||
Recommended Cache-Control Values for WordPress
| Resource Type | Cache-Control Value | Rationale |
|---|---|---|
| Static assets (CSS, JS, images) | public, max-age=31536000, immutable |
Cache for 1 year |
| HTML pages | public, max-age=3600, s-maxage=604800 |
Browser 1hr, CDN 1 week |
| API responses / JSON | no-cache, must-revalidate |
Always validate freshness |
| Private content | private, no-store |
Never cache |
Nginx Configuration for WordPress Caching
location ~* .(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 365d;
add_header Cache-Control "public, immutable";
}
location ~ .php$ {
add_header Cache-Control "no-cache, must-revalidate";
}
Hide Your WordPress Fingerprint: Complete Checklist
WordPress leaves traces everywhere \u2014 version numbers, API endpoints, generator tags, emoji scripts. Attackers use these to target known vulnerabilities. Here’s how to clean up your digital footprint.
1. Remove WordPress Version Number
Risk: High \u2014 reveals exact WP version for exploit targeting
remove_action( 'wp_head', 'wp_generator' ); add_filter( 'the_generator', '__return_empty_string' );
Easier way: Perfmatters disables this with a single toggle.
2. Disable WordPress Emoji Scripts
Performance cost: ~10KB + 1 DNS lookup + 1 HTTP request per page
remove_action( 'wp_head', 'print_emoji_detection_script', 7 ); remove_action( 'wp_print_styles', 'print_emoji_styles' );
3. Disable oEmbed Discovery
Adds 4 extra HTTP requests on every page
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' ); remove_action( 'wp_head', 'wp_oembed_add_host_js' );
4. Restrict REST API Access
Risk: Medium \u2014 exposes /wp-json/ endpoint with user data
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! is_user_logged_in() && null === $result ) {
return new WP_Error( 'rest_unauthorized', 'REST API restricted.', array( 'status' => 401 ) );
}
return $result;
} );
5. Disable XML-RPC & RSD Link
Risk: High \u2014 XML-RPC is the #1 vector for WordPress brute-force DDoS attacks
remove_action( 'wp_head', 'rsd_link' ); add_filter( 'xmlrpc_enabled', '__return_false' );
6. Remove WLW Manifest & Shortlink
Low risk, easy wins
remove_action( 'wp_head', 'wlwmanifest_link' ); remove_action( 'wp_head', 'wp_shortlink_wp_head' );
7. Disable Dashicons on Frontend
Saves ~30KB CSS on frontend
add_action( 'wp_enqueue_scripts', function() {
if ( ! is_admin_bar_showing() ) {
wp_deregister_style( 'dashicons' );
}
} );
8. Host Google Fonts & Analytics Locally
Third-party DNS lookups block rendering; GDPR compliance issues in EU
Solutions: Perfmatters (built-in local hosting), WP Rocket (font hosting), or OMGF plugin.
Pro Tip: Don’t Edit functions.php Directly. Pasting code into your theme’s functions.php gets wiped out on theme updates. Use the Code Snippets plugin, Perfmatters Code Snippet Manager, or Must-Use (MU) plugins instead.
Frequently Asked Questions
What do PASS, WARN, and RISK mean in the results?
- PASS (green) \u2014 The header is properly configured and follows best practices.
- WARN (yellow) \u2014 The header exists but could be stronger, or a non-critical header is missing.
- RISK (red) \u2014 A critical security header is missing, or a dangerous practice was detected.
- INFO (blue) \u2014 Informational only. No action needed.
How is the Security & Privacy Score calculated?
The score (0\u2013100) is based on weighted analysis: Security Headers (60%), Information Leakage (25%), Performance Wastage (15%).
Grade scale: A (\u226590), B (\u226575), C (\u226560), D (\u226540), F (<40).
How is this different from running curl -I?
Generic HTTP header tools only show raw header values. Our analyzer provides WordPress-specific analysis, actionable scoring, fingerprint detection, and requires no CLI.
Does checking my headers here log or store my data?
No. Our tool performs a real-time HEAD request and analyzes the response immediately. Results are not stored in any database.
Can I fix failing headers without coding knowledge?
Absolutely! You can fix most header issues using plugins: Perfmatters (security headers + WP cleanup), WP Rocket (caching headers), or Really Simple SSL (HSTS).
Recommended Tools to Improve Your Scores
Perfmatters
Lightweight WordPress performance plugin. One-click toggles to disable emojis, hide WP version, remove REST API exposure, set security headers, local-host Google Fonts/GA, and 50+ more optimizations. Zero front-end overhead.
WP Rocket
The most user-friendly caching plugin for WordPress. Automatically sets Cache-Control headers, enables browser caching, integrates with CDNs, lazy-loads images/videos, minifies CSS/JS, and handles database optimization.
GeneratePress
The fastest, lightest-weight WordPress theme available. Clean semantic markup, no bloat, perfect Core Web Vitals scores out of the box. Used by RocketWP and trusted by 600,000+ websites worldwide.
