Website Health Guides

Security Headers You Should Know

Learn the most important HTTP security headers, including CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Beginner

Introduction

Security headers are HTTP response headers that tell browsers how to handle your website more safely. They can help reduce risks such as clickjacking, MIME sniffing, insecure referrer leakage, mixed content, weak HTTPS behavior and unnecessary browser permissions.

Security headers do not replace secure code, updates or server hardening, but they add an important browser-side protection layer. Some headers are simple to enable, while others, especially Content-Security-Policy and HSTS, should be tested carefully before strict enforcement.

Quick answer

Quick answer

Important security headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Start with low-risk headers, test CSP and HSTS carefully, and use an HTTP Header Checker to confirm what your site sends.

Security headers

Security headers are instructions sent by a website server in the HTTP response. Browsers read these headers and apply extra security rules when loading the page.

They can help control:

  • whether the site can be embedded in frames
  • whether browsers can guess file types
  • how much referrer information is shared
  • whether HTTPS should always be used
  • which scripts, styles and images can load
  • which browser features are allowed
  • how cross-origin resources behave

Security headers are most useful when combined with HTTPS, secure application code, updated software and proper server configuration.

Important headers

Content-Security-Policy

Controls which scripts, styles, images, frames and other resources can load.

Strict-Transport-Security

Tells browsers to use HTTPS for future visits.

X-Frame-Options

Helps prevent clickjacking by controlling whether the site can be embedded in frames.

X-Content-Type-Options

Prevents browsers from guessing MIME types.

Referrer-Policy

Controls how much referrer information is sent to other sites.

Permissions-Policy

Limits browser features such as camera, microphone, geolocation and fullscreen.

Cross-Origin-Opener-Policy

Helps isolate browsing contexts from other origins.

Cross-Origin-Resource-Policy

Controls whether other origins can load your resources.

Cross-Origin-Embedder-Policy

Adds stricter cross-origin isolation for advanced use cases.

Low-risk headers

Some headers are usually safer to enable first because they are less likely to break normal websites.

Good starting headers:

  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • X-Frame-Options: SAMEORIGIN
  • Permissions-Policy with only needed features allowed

Even low-risk headers should be tested on important pages, login flows, embedded widgets and third-party integrations.

Headers to test carefully

Some headers can break website features if configured too strictly.

Content-Security-Policy

Can block scripts, styles, images, fonts, analytics, payment widgets, maps or embedded tools.

Strict-Transport-Security

Can force HTTPS for a long time. If SSL is misconfigured, users may be locked out.

Cross-Origin headers

Can break embedded content, APIs, iframes or third-party integrations.

Start CSP in report-only mode where possible, then move to enforcement after reviewing violations.

Content-Security-Policy

Content-Security-Policy, or CSP, is one of the most powerful security headers. It tells browsers which sources are allowed to load scripts, styles, images, fonts, frames and other resources.

CSP can help reduce:

  • cross-site scripting impact
  • malicious script injection
  • unauthorized third-party resources
  • mixed content
  • unsafe inline scripts when configured strictly

CSP is powerful but easy to break. Test it carefully before using a strict policy on production.

CSP example
Content-Security-Policy: default-src 'self'; img-src 'self' https:; object-src 'none'; frame-ancestors 'self';

HSTS

Strict-Transport-Security, or HSTS, tells browsers to use HTTPS automatically for future visits.

HSTS example
Strict-Transport-Security: max-age=31536000; includeSubDomains

Benefits:

  • reduces accidental HTTP usage
  • helps prevent protocol downgrade attacks
  • improves HTTPS consistency

Only enable long max-age or includeSubDomains when HTTPS works correctly on the main domain and all required subdomains.

Why this matters

Why this matters

Security headers matter because browsers enforce them before or while loading website content. A good header setup can reduce common web risks even if a page contains third-party scripts, embeds or user-generated content.

Missing headers do not always mean a website is hacked or unsafe, but they usually indicate room for better hardening.

How to check headers

Use HTTP Header Checker to see which headers your website returns.

Check:

  1. Homepage — Review headers on the main URL.
  2. HTTPS version — Confirm headers are present on the final HTTPS response.
  3. Important pages — Check login, checkout, admin, contact and application pages.
  4. Redirects — Confirm headers appear on final pages, not only redirects.
  5. CSP behavior — Check whether CSP blocks required resources.
  6. HSTS readiness — Confirm SSL works across required subdomains before strict HSTS.
  7. CDN/proxy layer — Check whether headers are added by origin, CDN or both.

Audit your headers

Use HTTP Header Checker to see which security headers your website returns.

Run HTTP Header Check →

Common problems

Missing X-Content-Type-Options

Medium

Browsers may try to guess file types instead of trusting declared MIME types.

Next step: Add X-Content-Type-Options: nosniff.

Missing clickjacking protection

Medium

The site may be embeddable in unwanted frames.

Next step: Add X-Frame-Options: SAMEORIGIN or use CSP frame-ancestors.

No Referrer-Policy

Low

Browsers may send more referrer information than needed.

Next step: Add Referrer-Policy: strict-origin-when-cross-origin.

No Permissions-Policy

Low

Browser features may not be explicitly limited.

Next step: Restrict features your site does not use.

CSP missing

Medium

The browser has no resource-loading policy for scripts, styles or frames.

Next step: Start with a report-only CSP and test required resources.

CSP too strict

High

Important scripts, styles, images or third-party tools are blocked.

Next step: Review CSP violations and allow only trusted required sources.

HSTS enabled too aggressively

High

Subdomains without valid HTTPS may become inaccessible.

Next step: Test HTTPS coverage before long max-age or includeSubDomains.

Headers missing behind CDN

Medium

The origin or CDN may not pass headers consistently.

Next step: Configure headers at the CDN, origin or both.

Headers only on some pages

Medium

Important pages may be unprotected.

Next step: Apply headers consistently across templates, routes and server blocks.

How to improve headers

  1. Step 1: Audit current headers

    Run HTTP Header Checker on the homepage and important pages.

  2. Step 2: Add low-risk headers first

    Start with nosniff, referrer policy, frame protection and permissions policy.

  3. Step 3: Test important flows

    Check login, checkout, contact forms, embeds, analytics and dashboards.

  4. Step 4: Plan CSP carefully

    Use report-only mode first and review violations.

  5. Step 5: Enable CSP enforcement gradually

    Allow only trusted resources and avoid broad wildcards where possible.

  6. Step 6: Prepare HSTS

    Confirm HTTPS works on the main domain and required subdomains.

  7. Step 7: Check CDN/origin consistency

    Make sure headers are not duplicated, missing or overwritten.

  8. Step 8: Monitor after deployment

    Watch browser console errors, user reports and analytics changes.

Security headers can be added in different places:

  • Nginx configuration
  • Apache .htaccess or vhost
  • CDN response header rules
  • hosting control panel
  • WordPress plugin
  • application framework
  • edge worker/function

Avoid configuring the same header in too many places. Duplicate or conflicting headers can make behavior harder to debug.

Header testing examples
Check headers:
curl -I https://example.com

Check final response after redirects:
curl -IL https://example.com

Look for:
content-security-policy
strict-transport-security
x-frame-options
x-content-type-options
referrer-policy
permissions-policy

Example Nginx header:
add_header X-Content-Type-Options "nosniff" always;

Example Apache header:
Header always set X-Content-Type-Options "nosniff"

Examples are illustrative. Server syntax depends on your hosting stack, control panel and web server version.

Example header set

Example security headers
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'; img-src 'self' https:; object-src 'none'; frame-ancestors 'self';
Strict-Transport-Security: max-age=31536000; includeSubDomains

This is an illustrative example, not a universal configuration. Test CSP and HSTS before applying them to production.

WordPress headers

WordPress security headers can be added through the server, CDN, security plugin or application code.

Check carefully when using:

  • caching plugins
  • security plugins
  • page builders
  • analytics scripts
  • embedded forms
  • payment widgets
  • Google Maps
  • YouTube embeds
  • external fonts
  • CDN-hosted assets

CSP is often the header most likely to break WordPress features if applied too strictly.

Frequently asked questions

Are security headers required?

They are not always legally required, but they are a common web security best practice.

Do security headers make a website fully secure?

No. They add browser-side protections but do not replace secure code, updates or server hardening.

Which header should I add first?

Start with lower-risk headers such as X-Content-Type-Options, Referrer-Policy, X-Frame-Options and Permissions-Policy.

Can Content-Security-Policy break my site?

Yes. CSP can block scripts, styles, images, fonts and third-party tools if configured too strictly.

Can HSTS break my site?

Yes, if HTTPS does not work correctly on all affected domains or subdomains.

Should I use X-Frame-Options or CSP frame-ancestors?

CSP frame-ancestors is more flexible, but X-Frame-Options is still commonly used for basic clickjacking protection.

Where should I add security headers?

They can be added at the web server, CDN, hosting panel, application or plugin level. Use the place you can manage consistently.

Use these free tools to verify your configuration after applying changes.

Browse all Website Health guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.