5 Security Headers Every Website Should Have (But Most Don't)

HTTP security headers are instructions your web server sends to the browser along with your page content. They tell the browser how to handle your site's data and what kinds of interactions to allow or block. They cost nothing to implement, add no weight to your pages, and protect against some of the most common attack vectors on the web.

Despite this, the majority of websites are missing most or all of them. A 2025 analysis of the top 1 million websites found that fewer than 25% had a Content Security Policy, and only 30% used Strict-Transport-Security. These are missed opportunities with real consequences.

1. Strict-Transport-Security (HSTS)

What It Does

HSTS tells browsers to only connect to your site over HTTPS, even if the user types http:// or clicks an HTTP link. Without this header, an attacker on the same network (a coffee shop Wi-Fi, for example) can intercept the initial HTTP request before the redirect to HTTPS occurs — a technique known as an SSL stripping attack.

Why It Matters

Having an SSL certificate is not enough. If your site accepts any HTTP connections before redirecting, there is a window of vulnerability. HSTS eliminates that window by telling the browser: "Never even try to connect over HTTP. Always use HTTPS, no exceptions."

How to Implement

Add this response header on your web server:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age=31536000: The browser remembers this rule for one year (in seconds).
• includeSubDomains: Applies to all subdomains, not just the root domain.
• preload: Allows your domain to be included in browsers' built-in HSTS preload lists, providing protection even on the very first visit.

Start with a shorter max-age (like 300 seconds) to test, then increase once you have confirmed everything works over HTTPS.

2. Content-Security-Policy (CSP)

What It Does

CSP is the single most powerful security header. It specifies exactly which sources the browser is allowed to load resources from — scripts, styles, images, fonts, iframes, and more. If a resource is not explicitly permitted by the policy, the browser blocks it.

Why It Matters

Cross-site scripting (XSS) remains one of the top web vulnerabilities year after year. XSS attacks work by injecting malicious scripts into your pages. A strong CSP prevents those injected scripts from executing because they will not match the allowed source list.

How to Implement

A basic CSP that allows resources only from your own domain:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';

CSP is the most complex security header to configure because every external resource your site uses needs to be explicitly allowed. Common additions include:

• Google Fonts: add fonts.googleapis.com to style-src and fonts.gstatic.com to font-src
• Google Analytics: add *.google-analytics.com to script-src
• Embedded videos: add youtube.com or vimeo.com to frame-src

Start with Content-Security-Policy-Report-Only mode, which logs violations without blocking anything. Review the reports, adjust your policy, then switch to enforcement mode.

3. X-Content-Type-Options

What It Does

This header has exactly one valid value: nosniff. It prevents browsers from trying to guess ("sniff") the content type of a response if it does not match the declared Content-Type header.

Why It Matters

MIME type sniffing is a browser behavior where, if a file's content type is ambiguous, the browser will examine the file contents to determine how to handle it. Attackers exploit this by uploading files that look like one type (an image, for example) but contain executable code. If the browser sniffs the content and decides to execute it as JavaScript, the attacker wins.

How to Implement

X-Content-Type-Options: nosniff

That is it — one line. No configuration options, no complexity. There is no reason for any website not to include this header.

4. X-Frame-Options

What It Does

X-Frame-Options controls whether your site can be embedded in an <iframe> on another website. This prevents clickjacking attacks, where an attacker places an invisible iframe of your site over a malicious page, tricking users into clicking buttons they cannot see.

Why It Matters

Imagine a user thinks they are clicking "Play Video" on an entertainment site, but they are actually clicking "Transfer Funds" on your banking application loaded in a hidden iframe. Clickjacking is not theoretical — it is a well-documented attack vector that has been used against social media platforms, banks, and e-commerce sites.

How to Implement

X-Frame-Options: DENY

This prevents your site from being embedded in any iframe. If you need to allow embedding on your own domain (for example, for internal tools), use:

X-Frame-Options: SAMEORIGIN

For more granular control, the newer CSP frame-ancestors directive offers the same protection with more flexibility. Using both provides defense in depth.

5. Referrer-Policy

What It Does

When a user clicks a link from your site to another site, the browser sends a Referer header (yes, the misspelling is standardized) telling the destination where the user came from. The Referrer-Policy header controls how much of that information is shared.

Why It Matters

URLs often contain sensitive information: user IDs, session tokens, search queries, internal page paths, or query parameters that reveal business logic. Without a Referrer-Policy, all of this leaks to every external site your visitors navigate to. This is both a privacy issue for your users and a security issue for your application.

How to Implement

Referrer-Policy: strict-origin-when-cross-origin

This policy sends the full URL for same-origin requests (within your own site), the origin only (just the domain) for cross-origin requests over HTTPS, and nothing at all when navigating from HTTPS to HTTP. It strikes the right balance between utility and privacy.

Other common options:

• no-referrer: Never send referrer information. Maximum privacy, but breaks some analytics.
• origin: Only send the domain, never the full URL path.
• same-origin: Only send referrer information for requests within your own site.

How to Add Security Headers

The method depends on your hosting setup. Here are configurations for the most common platforms:

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Cloudflare

If you use Cloudflare, you can add security headers through Transform Rules (under Rules > Transform Rules > Modify Response Header) without touching your origin server configuration.

Vercel, Netlify, and Other Platforms

Most modern hosting platforms support custom headers through configuration files (vercel.json, netlify.toml, or _headers files). Check your platform's documentation for the specific syntax.

Testing Your Security Headers

After implementing, verify that the headers are being sent correctly:

• Open your browser's Developer Tools, navigate to the Network tab, click on the document request, and check the Response Headers.
• Use the command line: curl -I https://yourdomain.com displays the headers returned by your server.
• Run a free Claros scan to get a complete security header assessment along with your overall security grade.

Check Your Security Headers Now

Most websites are missing at least three of these five headers. Find out where yours stands. Scan your site for free with Claros and get a detailed security report with specific remediation steps — in under 30 seconds.