ARTICLE
Security Headers Every Website Needs
The essential HTTP security headers that protect your website from common attacks. What each header does and how to implement them.
Apr 13, 20264 min readWEBSITE AUDITS
Your website is missing protections it should have
Most websites ship without basic security headers. These headers are HTTP response headers that tell browsers how to behave when loading your site — which scripts to trust, whether to allow framing, and how to handle content types.
Without them, your site is vulnerable to clickjacking, cross-site scripting (XSS), MIME sniffing attacks, and more. The good news: adding them takes minutes and the Security Headers Checker shows exactly what's missing.
The essential headers
1. Strict-Transport-Security (HSTS)
What it does: Forces browsers to use HTTPS for all connections to your site. Prevents protocol downgrade attacks and cookie hijacking.
Recommended value: Strict-Transport-Security: max-age=31536000; includeSubDomains
Why it matters: Even if your site has HTTPS, a user typing "example.com" (without https://) gets an initial insecure connection before the redirect. HSTS eliminates that window by telling the browser to always use HTTPS.
2. Content-Security-Policy (CSP)
What it does: Controls which resources (scripts, styles, images, fonts) the browser is allowed to load. Prevents XSS attacks by blocking injected malicious scripts.
Recommended starting point: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Why it matters: If an attacker injects a script tag into your page (via a form, URL parameter, or database), CSP blocks it from executing. It's the strongest defense against XSS.
Warning: CSP can break things. Start in report-only mode (Content-Security-Policy-Report-Only) to identify violations before enforcing.
3. X-Frame-Options
What it does: Prevents your site from being loaded inside an iframe on another site. Stops clickjacking attacks.
Recommended value: X-Frame-Options: DENY (or SAMEORIGIN if you embed your own content in iframes)
Why it matters: Clickjacking overlays an invisible iframe of your site on a malicious page. Visitors think they're clicking a harmless button but are actually clicking a button on your site (like "transfer funds" or "change password").