BlogSecurity
Security

Security Headers: The Hidden Shield Your Website Is Missing

Security headers are a free, five-minute fix that dramatically improves your website's security posture — yet over 80% of websites are missing critical ones. Here's everything you need to know.

S
SecureCheap Team
June 1, 2026
7 min read min read

Security Headers: The Hidden Shield Your Website Is Missing

Security headers are HTTP response headers that instruct browsers how to behave when displaying your website. They're free to implement, require no server-side application changes, and protect against some of the most common web attacks. Yet 82% of websites are missing at least one critical security header.

Why Security Headers Matter

Without the right security headers:

  • Attackers can inject malicious scripts that steal user data (XSS)
  • Your site can be embedded in a malicious iframe for clickjacking attacks
  • Browsers send sensitive referrer data to third parties unnecessarily
  • Attackers can force insecure HTTP connections on HTTPS-enabled sites
  • Mixed content undermines your SSL certificate's protection

Security headers close these attack vectors at the browser level.

The Essential Security Headers

1. Content-Security-Policy (CSP)

Specifies which sources browsers are allowed to load content from, preventing unauthorized script execution.

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none';

Key directives:

  • default-src 'self': Only load resources from your own domain by default
  • script-src 'self': Only execute scripts from your domain
  • frame-ancestors 'none': Prevents embedding in iframes (also prevents clickjacking)

Start with report-only mode to identify issues before blocking: Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

2. Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS for all future visits, even if the user types http://.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Warning: Only add HSTS if your entire site works correctly over HTTPS. It cannot be undone quickly — browsers cache it for max-age duration.

3. X-Frame-Options

Controls whether your site can be displayed inside a frame or iframe:

X-Frame-Options: SAMEORIGIN

4. X-Content-Type-Options

Prevents browsers from MIME-type sniffing:

X-Content-Type-Options: nosniff

This is a simple, single-value header. Always include it.

5. Referrer-Policy

Controls how much referrer information is sent when users navigate from your site:

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser APIs your site can use:

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Implementation

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;

Apache (.htaccess)

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

Checking Your Headers

curl -I https://yourdomain.com | grep -i "strict-transport|x-frame|x-content|content-security|referrer|permissions"

Automated Scanning

SecureCheap Scanner automatically checks all security headers across your site:

  • Detects missing headers
  • Identifies misconfigured header values
  • Scores your header implementation
  • Provides specific remediation steps

Running a manual curl check only catches headers on your main page. SecureCheap checks all pages and subdomain variations, providing a comprehensive report.

Moving from a failing grade to an A is achievable in an afternoon. Start your free scan to see exactly which headers you're missing.

Tags

security headersCSPHSTSXSS preventionweb security
← Back to Blog