Security Headers You Should Know
Learn the most important HTTP security headers, including CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
Introduction
Security headers are HTTP response headers that tell browsers how to handle your website more safely. They can help reduce risks such as clickjacking, MIME sniffing, insecure referrer leakage, mixed content, weak HTTPS behavior and unnecessary browser permissions.
Security headers do not replace secure code, updates or server hardening, but they add an important browser-side protection layer. Some headers are simple to enable, while others, especially Content-Security-Policy and HSTS, should be tested carefully before strict enforcement.
Quick answer
Important security headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Start with low-risk headers, test CSP and HSTS carefully, and use an HTTP Header Checker to confirm what your site sends.
Security headers
Security headers are instructions sent by a website server in the HTTP response. Browsers read these headers and apply extra security rules when loading the page.
They can help control:
- whether the site can be embedded in frames
- whether browsers can guess file types
- how much referrer information is shared
- whether HTTPS should always be used
- which scripts, styles and images can load
- which browser features are allowed
- how cross-origin resources behave
Security headers are most useful when combined with HTTPS, secure application code, updated software and proper server configuration.
Important headers
Content-Security-Policy
Controls which scripts, styles, images, frames and other resources can load.
Strict-Transport-Security
Tells browsers to use HTTPS for future visits.
X-Frame-Options
Helps prevent clickjacking by controlling whether the site can be embedded in frames.
X-Content-Type-Options
Prevents browsers from guessing MIME types.
Referrer-Policy
Controls how much referrer information is sent to other sites.
Permissions-Policy
Limits browser features such as camera, microphone, geolocation and fullscreen.
Cross-Origin-Opener-Policy
Helps isolate browsing contexts from other origins.
Cross-Origin-Resource-Policy
Controls whether other origins can load your resources.
Cross-Origin-Embedder-Policy
Adds stricter cross-origin isolation for advanced use cases.
Low-risk headers
Some headers are usually safer to enable first because they are less likely to break normal websites.
Good starting headers:
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- X-Frame-Options: SAMEORIGIN
- Permissions-Policy with only needed features allowed
Even low-risk headers should be tested on important pages, login flows, embedded widgets and third-party integrations.
Headers to test carefully
Some headers can break website features if configured too strictly.
Content-Security-Policy
Can block scripts, styles, images, fonts, analytics, payment widgets, maps or embedded tools.
Strict-Transport-Security
Can force HTTPS for a long time. If SSL is misconfigured, users may be locked out.
Cross-Origin headers
Can break embedded content, APIs, iframes or third-party integrations.
Start CSP in report-only mode where possible, then move to enforcement after reviewing violations.
Content-Security-Policy
Content-Security-Policy, or CSP, is one of the most powerful security headers. It tells browsers which sources are allowed to load scripts, styles, images, fonts, frames and other resources.
CSP can help reduce:
- cross-site scripting impact
- malicious script injection
- unauthorized third-party resources
- mixed content
- unsafe inline scripts when configured strictly
CSP is powerful but easy to break. Test it carefully before using a strict policy on production.
Content-Security-Policy: default-src 'self'; img-src 'self' https:; object-src 'none'; frame-ancestors 'self';
HSTS
Strict-Transport-Security, or HSTS, tells browsers to use HTTPS automatically for future visits.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Benefits:
- reduces accidental HTTP usage
- helps prevent protocol downgrade attacks
- improves HTTPS consistency
Only enable long max-age or includeSubDomains when HTTPS works correctly on the main domain and all required subdomains.
Why this matters
Security headers matter because browsers enforce them before or while loading website content. A good header setup can reduce common web risks even if a page contains third-party scripts, embeds or user-generated content.
Missing headers do not always mean a website is hacked or unsafe, but they usually indicate room for better hardening.
How to check headers
Use HTTP Header Checker to see which headers your website returns.
Check:
- Homepage — Review headers on the main URL.
- HTTPS version — Confirm headers are present on the final HTTPS response.
- Important pages — Check login, checkout, admin, contact and application pages.
- Redirects — Confirm headers appear on final pages, not only redirects.
- CSP behavior — Check whether CSP blocks required resources.
- HSTS readiness — Confirm SSL works across required subdomains before strict HSTS.
- CDN/proxy layer — Check whether headers are added by origin, CDN or both.
Audit your headers
Use HTTP Header Checker to see which security headers your website returns.
Common problems
Missing X-Content-Type-Options
MediumBrowsers may try to guess file types instead of trusting declared MIME types.
Next step: Add X-Content-Type-Options: nosniff.
Missing clickjacking protection
MediumThe site may be embeddable in unwanted frames.
Next step: Add X-Frame-Options: SAMEORIGIN or use CSP frame-ancestors.
No Referrer-Policy
LowBrowsers may send more referrer information than needed.
Next step: Add Referrer-Policy: strict-origin-when-cross-origin.
No Permissions-Policy
LowBrowser features may not be explicitly limited.
Next step: Restrict features your site does not use.
CSP missing
MediumThe browser has no resource-loading policy for scripts, styles or frames.
Next step: Start with a report-only CSP and test required resources.
CSP too strict
HighImportant scripts, styles, images or third-party tools are blocked.
Next step: Review CSP violations and allow only trusted required sources.
HSTS enabled too aggressively
HighSubdomains without valid HTTPS may become inaccessible.
Next step: Test HTTPS coverage before long max-age or includeSubDomains.
Headers missing behind CDN
MediumThe origin or CDN may not pass headers consistently.
Next step: Configure headers at the CDN, origin or both.
Headers only on some pages
MediumImportant pages may be unprotected.
Next step: Apply headers consistently across templates, routes and server blocks.
How to improve headers
-
Step 1: Audit current headers
Run HTTP Header Checker on the homepage and important pages.
-
Step 2: Add low-risk headers first
Start with nosniff, referrer policy, frame protection and permissions policy.
-
Step 3: Test important flows
Check login, checkout, contact forms, embeds, analytics and dashboards.
-
Step 4: Plan CSP carefully
Use report-only mode first and review violations.
-
Step 5: Enable CSP enforcement gradually
Allow only trusted resources and avoid broad wildcards where possible.
-
Step 6: Prepare HSTS
Confirm HTTPS works on the main domain and required subdomains.
-
Step 7: Check CDN/origin consistency
Make sure headers are not duplicated, missing or overwritten.
-
Step 8: Monitor after deployment
Watch browser console errors, user reports and analytics changes.
Security headers can be added in different places:
- Nginx configuration
- Apache .htaccess or vhost
- CDN response header rules
- hosting control panel
- WordPress plugin
- application framework
- edge worker/function
Avoid configuring the same header in too many places. Duplicate or conflicting headers can make behavior harder to debug.
Check headers:
curl -I https://example.com
Check final response after redirects:
curl -IL https://example.com
Look for:
content-security-policy
strict-transport-security
x-frame-options
x-content-type-options
referrer-policy
permissions-policy
Example Nginx header:
add_header X-Content-Type-Options "nosniff" always;
Example Apache header:
Header always set X-Content-Type-Options "nosniff"
Examples are illustrative. Server syntax depends on your hosting stack, control panel and web server version.
Example header set
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'; img-src 'self' https:; object-src 'none'; frame-ancestors 'self';
Strict-Transport-Security: max-age=31536000; includeSubDomains
This is an illustrative example, not a universal configuration. Test CSP and HSTS before applying them to production.
WordPress headers
WordPress security headers can be added through the server, CDN, security plugin or application code.
Check carefully when using:
- caching plugins
- security plugins
- page builders
- analytics scripts
- embedded forms
- payment widgets
- Google Maps
- YouTube embeds
- external fonts
- CDN-hosted assets
CSP is often the header most likely to break WordPress features if applied too strictly.
Frequently asked questions
Are security headers required?
They are not always legally required, but they are a common web security best practice.
Do security headers make a website fully secure?
No. They add browser-side protections but do not replace secure code, updates or server hardening.
Which header should I add first?
Start with lower-risk headers such as X-Content-Type-Options, Referrer-Policy, X-Frame-Options and Permissions-Policy.
Can Content-Security-Policy break my site?
Yes. CSP can block scripts, styles, images, fonts and third-party tools if configured too strictly.
Can HSTS break my site?
Yes, if HTTPS does not work correctly on all affected domains or subdomains.
Should I use X-Frame-Options or CSP frame-ancestors?
CSP frame-ancestors is more flexible, but X-Frame-Options is still commonly used for basic clickjacking protection.
Where should I add security headers?
They can be added at the web server, CDN, hosting panel, application or plugin level. Use the place you can manage consistently.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Website Health guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!