SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical Headers

Security Headers

HTTP security headers are instructions your web server sends to browsers telling them how to handle your content. They protect against XSS, clickjacking, MIME sniffing, information leakage, and other browser-level attacks. Missing headers are one of the most common and easiest-to-fix security issues.

What SecurityStatus Checks

  • Content-Security-Policy (CSP) — controls which resources browsers can load
  • X-Frame-Options or CSP frame-ancestors — prevents clickjacking
  • X-Content-Type-Options — prevents MIME type sniffing
  • Strict-Transport-Security (HSTS) — enforces HTTPS in browsers
  • Referrer-Policy — controls what URL is sent in the Referer header
  • Permissions-Policy — restricts access to browser features like camera and geolocation

Why This Matters

Missing security headers leave browsers without instructions on how to handle your content safely. An XSS vulnerability that might be exploitable due to a missing CSP could expose user sessions or data. These headers are essentially free security controls — they cost nothing to add and provide meaningful protection.

How to Fix It

  1. 1

    Add X-Content-Type-Options

    This is the easiest header. Add: `X-Content-Type-Options: nosniff`. This prevents browsers from guessing the content type of responses, blocking a class of attacks where malicious content is disguised as a harmless type.

  2. 2

    Add X-Frame-Options

    Add: `X-Frame-Options: SAMEORIGIN`. This prevents your site from being embedded in iframes on other domains, blocking clickjacking attacks. Or use CSP's frame-ancestors directive instead.

  3. 3

    Add Referrer-Policy

    Add: `Referrer-Policy: strict-origin-when-cross-origin`. This prevents your full page URLs from leaking to third-party sites via the Referer header while maintaining functionality for same-origin navigation.

  4. 4

    Add HSTS

    Add: `Strict-Transport-Security: max-age=31536000; includeSubDomains`. Only add this after your site is fully on HTTPS — it is very hard to remove quickly if something breaks.

  5. 5

    Add a Content Security Policy

    CSP is the most complex header. Start with: `Content-Security-Policy: default-src 'self'` and add exceptions as needed. Use report-only mode first: `Content-Security-Policy-Report-Only`. A good CSP blocks XSS by preventing inline script execution and restricting script sources.

Frequently Asked Questions

How do I add security headers?
For nginx: add `add_header` directives in your server block. For Apache: add `Header set` directives in .htaccess or httpd.conf. For Cloudflare: use Transform Rules > Modify Response Header. For CDNs: check your provider's documentation.
What is the most important security header?
Content-Security-Policy provides the most protection because it directly limits what can execute in a browser. However, it is also the most complex. X-Content-Type-Options is easiest and should be added immediately.
Will adding security headers break my site?
X-Content-Type-Options, X-Frame-Options, and Referrer-Policy rarely cause issues. HSTS can break things if HTTP is still needed. CSP very commonly breaks sites — always use report-only mode first and review violations before enforcing.
What score do I need on SecurityHeaders.com?
Aim for at least a B grade. An A or A+ requires a strong CSP, which takes time to build. A B with all basic headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) is a solid baseline.

Related Guides

medium Clickjacking Protection Read Guide critical CORS Configuration Read Guide high HTTPS Redirect Read Guide

Check Your Domain Now

Run all 38 security checks including Security Headers and get your domain's security grade in under 2 minutes.

Scan Your Domain Free