Security headers are HTTP response headers that instruct browsers how to behave when loading your site. They protect against common web vulnerabilities like XSS, clickjacking, and MIME-type sniffing.
CSP controls which resources can load on your page. It prevents cross-site scripting attacks by specifying allowed sources for scripts, styles, images, fonts, and other content. A strict CSP can block inline scripts entirely, forcing all JavaScript into external files.
This header prevents other sites from embedding your pages in iframes. Clickjacking attacks rely on tricking users into clicking elements on invisible iframes. Setting X-Frame-Options to DENY or SAMEORIGIN stops this attack class completely.
Browsers sometimes guess the MIME type of a resource based on its content rather than its declared type. The nosniff directive forces the browser to respect the declared Content-Type header, preventing MIME-type confusion attacks.
Controls how much referrer information is sent when users navigate away from your site. Setting strict-origin-when-cross-origin is a good balance � it sends the full URL for same-origin requests but only the origin for external sites.
Most hosting platforms allow custom header configuration. For Apache, use .htaccess with Header directives. For Nginx, add header directives in your server block. For cloud platforms like Cloudflare, headers can be configured in the dashboard or Page Rules.
Start with a permissive policy and tighten it gradually. Overly strict security headers can break legitimate site functionality. Test thoroughly using your browser's developer tools before deploying to production.
Our free audit covers security, SEO, performance, mobile, design, and content.
Get your free audit