What should I check for wordpress security headers missing?

Review Strict-Transport-Security, X-Frame-Options or CSP frame rules, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Confirm headers do not break checkout, payment redirects, analytics, or embedded services. Add policies in the correct layer: CDN, host, server config, or a trusted hardening plugin. Retest key pages after changes, especially checkout and account flows.

Guide

WordPress security headers missing

A practical checklist for missing WordPress security headers and what they do and do not prove.

View Security Snapshot Request scope approval

Problem

Security headers help browsers enforce safer behavior around framing, MIME handling, referrer sharing, transport security, and permissions. WordPress sites often miss them because headers live in hosting, CDN, or server config rather than content.

Common causes

Headers are not configured at the host, CDN, or web server layer.
A migration changed server config and removed previous hardening rules.
Plugins add partial headers but leave gaps or conflicting policies.
Strict policies were avoided because checkout, embeds, or third-party scripts were not tested.

What to check

Review Strict-Transport-Security, X-Frame-Options or CSP frame rules, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Confirm headers do not break checkout, payment redirects, analytics, or embedded services.
Add policies in the correct layer: CDN, host, server config, or a trusted hardening plugin.
Retest key pages after changes, especially checkout and account flows.

Next steps

Run the free diagnostic to collect evidence before changing live orders or payment settings.
Request a Payment Rescue Review if the evidence is unclear or the risk affects customers, fulfilment, or support.
Custom setup or fix work is quoted after review, once the likely cause and scope are clear.

Quick answer

What does this usually mean?

What should be checked first?

Review Strict-Transport-Security, X-Frame-Options or CSP frame rules, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Need help checking this on a live store?

Missing headers are useful diagnostic signals, but the stronger buyer path is an authorised Security Snapshot when you need evidence, practical fixes, limitations and retest proof across the public surface.

View Security Snapshot Request scope approval