What Are Security Headers and Why Do They Matter
If you've ever run your site through a security scanner and wondered why you got a C or D grade even though everything seems to work fine—security headers are probably the culprit. They're one of those things that most sites don't have configured properly, yet they provide some of the easiest security wins available.
Let me break down what they actually do and why you should care.
What are HTTP security headers?
Security headers are HTTP response headers that your web server sends along with your page content. They tell browsers how to behave when handling your site's content—things like whether your page can be embedded in an iframe, what types of content can run, and how referrer information should be shared.
Think of them as instructions to the browser: "Hey, when you're showing my site to users, here are some rules to follow that'll keep everyone safer."
The thing is, browsers are pretty permissive by default. Without these headers, they'll allow behaviors that could put your users at risk. Security headers let you lock things down.
Why do they matter?
Three words: cross-site scripting (XSS), clickjacking, and data injection.
Without proper security headers, your site is vulnerable to attacks that could:
- Hijack user sessions by injecting malicious scripts
- Trick users into clicking things they shouldn't by embedding your site in a hidden frame
- Intercept sensitive data during transmission
- Impersonate your site using forged certificates
The good news? Adding security headers is usually straightforward and doesn't require code changes—just server configuration.
The essential security headers explained
Here are the headers that actually matter. I'll go through each one and explain what it protects against.
Content-Security-Policy (CSP)
This is the big one. CSP controls what resources can load on your page—scripts, styles, images, fonts, everything. It's your primary defense against XSS attacks.
A basic CSP might look like:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com
This tells the browser: "Only load resources from my domain, and only run scripts from my domain or this specific CDN."
The catch? CSP can be tricky to configure without breaking things. Start restrictive and loosen as needed, or use report-only mode first to see what would break.
Strict-Transport-Security (HSTS)
HSTS forces browsers to always use HTTPS for your site, even if someone types http:// in the address bar. It also prevents those "click through" SSL warnings that users might ignore.
Strict-Transport-Security: max-age=31536000; includeSubDomains
The max-age is in seconds. 31536000 is one year—the recommended minimum. Once set, browsers remember this preference, which means even a man-in-the-middle attacker can't downgrade the connection to HTTP.
Don't enable HSTS until you're 100% certain your SSL is working correctly. Once browsers see this header, they won't connect over HTTP for the duration of max-age.
X-Frame-Options
This header prevents your site from being embedded in iframes on other sites. Why does this matter? Clickjacking.
An attacker could embed your site in an invisible frame, overlay it with their own UI, and trick users into clicking buttons they can't see—like "Transfer Money" or "Delete Account."
X-Frame-Options: DENY
Use DENY if your site should never be framed. Use SAMEORIGIN if you need to embed it within your own domain.
X-Content-Type-Options
Browsers sometimes try to be helpful by "sniffing" the content type of files, even when the server specifies a type. This can lead to security issues when an attacker uploads a file that looks like HTML to the browser but was supposed to be plain text.
X-Content-Type-Options: nosniff
This header tells the browser: "Trust the Content-Type I'm sending you. Don't guess."
Referrer-Policy
When users click links from your site to another site, the browser typically sends a Referer header telling the destination where the user came from. This can leak sensitive URL paths.
Referrer-Policy: strict-origin-when-cross-origin
This policy sends the origin (just the domain) to other sites, but the full URL to your own site. A reasonable balance between functionality and privacy.
Permissions-Policy
Formerly called Feature-Policy, this header controls which browser features your site can use—things like camera, microphone, geolocation, and payment APIs.
Permissions-Policy: camera=(), microphone=(), geolocation=()
The empty parentheses disable the feature entirely. If you don't use these APIs, disable them. It reduces attack surface and signals security-conscious design.
How to check your headers
The quickest way to see where you stand is to run your site through a security headers checker. Our Security Headers Checker scans your site and shows you exactly which headers you have (or don't have) and gives you a letter grade.
Most sites I check score in the D-F range when they haven't explicitly configured security headers. The default for most servers is... nothing.
Understanding security grades
When tools scan your headers, they typically assign letter grades. Here's roughly what they mean:
| Grade | What it means |
|---|---|
| A+ | All recommended headers present with strong values |
| A | Most headers present, minor improvements possible |
| B | Decent protection, missing a few headers |
| C | Basic headers only, significant gaps |
| D | Minimal protection, many headers missing |
| F | No security headers configured |
Getting from F to B is usually 10 minutes of work. Getting to A+ might require more careful CSP tuning.
Quick wins to improve your score
If you're starting from scratch, here's the order I'd tackle things:
- Add X-Content-Type-Options: nosniff — One line, no risk of breaking anything
- Add X-Frame-Options: DENY — Unless you specifically need to be framed
- Add Referrer-Policy: strict-origin-when-cross-origin — Good default
- Enable HSTS — But only after confirming SSL works perfectly
- Add Permissions-Policy — Disable features you don't use
- Tackle CSP last — This takes the most testing
For specific server configurations (Nginx, Apache, Cloudflare, etc.), check out our guide on How to Add Security Headers which has copy-paste snippets for each platform.
Headers that don't really matter anymore
You might see some older headers mentioned in security audits:
X-XSS-Protection — This was Chrome's built-in XSS filter. It's been deprecated since Chrome 78 because it sometimes introduced security issues. Modern browsers ignore it. If you have it, it won't hurt, but CSP is the real protection now.
Public-Key-Pins (HPKP) — This was supposed to prevent certificate fraud but caused so many issues (including permanently bricking sites) that browsers removed support. Don't use it.
Testing your changes
After adding headers, verify they're actually being sent. You can:
- Use browser DevTools (Network tab → click a request → Headers)
- Use our Security Headers Checker to scan from outside
- Run
curl -I https://yoursite.comfrom the command line
Look for the headers in the response. If they're not there, double-check your server config and clear any caches.
The bottom line
Security headers are low-hanging fruit. They don't require code changes, they protect against real attacks, and they're one of the first things security audits check. Taking 15 minutes to configure them properly puts you ahead of the vast majority of websites.
Start with the easy ones, test thoroughly, and work up to a stricter CSP over time. Your users (and your security auditors) will thank you.