ARTICLE
Security Headers Every Website Needs
The essential HTTP security headers that protect your website from common attacks. What each header does and how to implement them.
Apr 13, 20264 min read
Your website is missing protections it should have
Most websites ship without basic security headers. These headers are HTTP response headers that tell browsers how to behave when loading your site — which scripts to trust, whether to allow framing, and how to handle content types.
Without them, your site is vulnerable to clickjacking, cross-site scripting (XSS), MIME sniffing attacks, and more. The good news: adding them takes minutes and the Security Headers Checker shows exactly what's missing.
The essential headers
1. Strict-Transport-Security (HSTS)
What it does: Forces browsers to use HTTPS for all connections to your site. Prevents protocol downgrade attacks and cookie hijacking.
Recommended value: Strict-Transport-Security: max-age=31536000; includeSubDomains
Why it matters: Even if your site has HTTPS, a user typing "example.com" (without https://) gets an initial insecure connection before the redirect. HSTS eliminates that window by telling the browser to always use HTTPS.
2. Content-Security-Policy (CSP)
What it does: Controls which resources (scripts, styles, images, fonts) the browser is allowed to load. Prevents XSS attacks by blocking injected malicious scripts.
Recommended starting point: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Why it matters: If an attacker injects a script tag into your page (via a form, URL parameter, or database), CSP blocks it from executing. It's the strongest defense against XSS.
Warning: CSP can break things. Start in report-only mode (Content-Security-Policy-Report-Only) to identify violations before enforcing.
3. X-Frame-Options
What it does: Prevents your site from being loaded inside an iframe on another site. Stops clickjacking attacks.
Recommended value: X-Frame-Options: DENY (or SAMEORIGIN if you embed your own content in iframes)
Why it matters: Clickjacking overlays an invisible iframe of your site on a malicious page. Visitors think they're clicking a harmless button but are actually clicking a button on your site (like "transfer funds" or "change password").
4. X-Content-Type-Options
What it does: Prevents the browser from MIME-sniffing a response away from the declared content type.
Recommended value: X-Content-Type-Options: nosniff
Why it matters: Without this header, a browser might interpret a JSON response as HTML and execute embedded scripts. It's a single header with no configuration needed.
5. Referrer-Policy
What it does: Controls how much referrer information is sent when users click links on your site.
Recommended value: Referrer-Policy: strict-origin-when-cross-origin
Why it matters: Without a referrer policy, your full page URLs (which might contain sensitive parameters) are sent to every external site your visitors click to.
6. Permissions-Policy
What it does: Controls which browser features (camera, microphone, geolocation, payment) your site can use.
Recommended value: Permissions-Policy: camera=(), microphone=(), geolocation=()
Why it matters: Even if your site doesn't use the camera, a compromised third-party script could. This header prevents any script on your page from accessing these APIs.
How to implement
Vercel / Next.js
Add headers in next.config.ts:
Headers are configured in the headers() function, returning an array of header objects with source (URL pattern) and headers (key-value pairs).
Apache (.htaccess)
Add Header set directives for each header in your .htaccess file.
Nginx
Add add_header directives in your server block.
Cloudflare
Use Transform Rules to add response headers — no server configuration needed.
The quick check
Run any URL through the Security Headers Checker to see which headers are present and which are missing. The tool checks all six essential headers and flags any gaps.
A full audit also includes security header analysis as part of the Security category score.
Priority order for implementation
- HSTS — if you have HTTPS (you should), add this first. Zero risk of breakage.
- X-Content-Type-Options — single header, no configuration, no breakage risk.
- X-Frame-Options — unless you embed your site in iframes, use DENY.
- Referrer-Policy — low risk, protects privacy immediately.
- Permissions-Policy — block unused browser APIs.
- CSP — most powerful but most complex. Start in report-only mode.
All six headers can be added in under an hour. The security improvement is immediate and measurable.
Keep reading
Accessibility Audits as a Revenue Stream
How agencies can add accessibility audits to their service offering. Legal drivers, common issues, and how to package ADA compliance services.
The 10 Most Common Website Audit Failures
The ten issues we see most often across thousands of website audits. What they mean, why they matter, and how to fix each one.
Automated vs Manual Website Audits
When to use automated audit tools vs manual expert analysis. The strengths, limitations, and ideal combination of both approaches.