Website Security Headers: What They Are and Why You Probably Don't Have Them

What Security Headers Actually Do

When your web server sends a page to a browser, it includes HTTP response headers — instructions that tell the browser how to handle the page. Security headers are a specific set of these instructions that protect visitors from common attacks: clickjacking, cross-site scripting (XSS), protocol downgrade attacks, and more.

They're invisible to visitors and take no more than 30 minutes for a developer to implement — but the majority of small business websites are missing most or all of them. Attackers check for missing headers as standard reconnaissance before attempting other exploits.

The Six Headers Every Business Website Should Have

Content-Security-Policy (CSP)

Tells browsers which sources of scripts, styles, images, and other content are allowed to load on your pages. Blocks cross-site scripting (XSS) attacks where malicious code is injected into your pages through third-party content.

Strict-Transport-Security (HSTS)

Instructs browsers to always connect to your site over HTTPS, even if someone types http://. Prevents protocol downgrade attacks where a connection is intercepted and downgraded to unencrypted HTTP.

X-Frame-Options

Prevents your site from being embedded inside an iframe on another website — a technique used in clickjacking attacks, where visitors think they're interacting with your site but are actually clicking on invisible overlaid elements.

X-Content-Type-Options

Stops browsers from guessing (MIME sniffing) what type of content a file is. Prevents attacks where a malicious file is disguised as a benign one.

Referrer-Policy

Controls what URL information is sent to other sites when visitors follow links from your pages. Prevents leaking sensitive URL parameters (like session tokens or user IDs) to third parties.

Permissions-Policy

Controls which browser features your site can access — camera, microphone, geolocation. Prevents third-party scripts embedded on your site from accessing these without your knowledge.

How to Check Which Headers You Have

Visit securityheaders.com and enter your URL for a free header scan. It'll grade you A–F and show exactly which headers are missing. A full website audit will also surface missing security headers alongside your performance, SEO, and accessibility issues in a single report.

How to Add Them

Security headers are added at the server or CDN layer — in your Nginx or Apache configuration, your Vercel/Netlify configuration file, or your CDN's header rules. A developer familiar with your hosting setup can add all six headers in under an hour. Once set, they apply to every page automatically.