If you run a website, HTTP security headers are the single highest-ROI security improvement you can make. Each header is one line of server configuration. Each one prevents a specific class of attack. And none of them require changing your application code.
Check your current headers using our free HTTP Security Headers Checker — it grades your site A through F and tells you exactly what is missing.
How the Grading Works
Security header graders assign letter grades based on which headers are present and correctly configured. An A+ grade requires all critical headers with strong values. An F means several important headers are missing entirely. The grading is meant to give you a quick prioritised view of what to fix first.
The Critical Headers (Missing = Grade Penalty)
Strict-Transport-Security (HSTS)
Tells browsers to only access your site over HTTPS for a specified period, even if the user types "http://". Prevents SSL stripping attacks where a man-in-the-middle downgrades your connection.
Recommended value: max-age=31536000; includeSubDomains
With preloading: Add ; preload and submit to the HSTS preload list for maximum protection.
Content-Security-Policy (CSP)
The most powerful security header and the hardest to implement correctly. CSP defines exactly which resources (scripts, styles, images, fonts) are allowed to load on your page, and from which origins. A well-configured CSP prevents XSS attacks by blocking inline scripts and limiting external script sources.
Starting point: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
CSP requires significant testing — start with report-only mode (Content-Security-Policy-Report-Only) before enforcing.
X-Frame-Options
Prevents your site from being embedded in an iframe on another domain — stopping clickjacking attacks where users are tricked into clicking on invisible elements overlaid on your site.
Recommended value: DENY or SAMEORIGIN
Note: CSP's frame-ancestors directive does the same thing and is preferred for modern browsers.
X-Content-Type-Options
Prevents MIME type sniffing — where the browser ignores the declared content type and tries to guess it from the content. This can cause browsers to execute scripts served as text/plain.
Value: nosniff (only one valid option)
Referrer-Policy
Controls how much information your site includes in the Referer header when users click links. The default sends the full URL of the page they were on to the destination site.
Recommended value: strict-origin-when-cross-origin — sends origin only for cross-origin requests, full URL for same-origin.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation, payment) your page and its iframes can access. Replaces the older Feature-Policy header.
Example: camera=(), microphone=(), geolocation=(self)
Adding Headers in Common Servers
Nginx: Add to your server block: add_header Strict-Transport-Security "max-age=31536000" always;
Apache: In .htaccess or httpd.conf: Header always set X-Content-Type-Options "nosniff"
Cloudflare: Use Transform Rules → Modify Response Header to add headers without touching your server.
Vercel/Netlify: Configure in vercel.json or _headers file.
Check Your Site Now
Use our HTTP Security Headers Checker to see your current grade and get a specific list of what to add. Enter your URL, get your grade, then work through the missing headers from the top of the list down.
