Skip to main content
Scan Free
← Back to Blog

Website Security Headers

Website Security Headers: The Complete Guide for 2026

Most websites are missing critical security headers that protect against XSS, clickjacking, and data leakage. Here's what you need and how to add them.

What are HTTP security headers?

HTTP security headers are directives sent by your web server that tell browsers how to behave when handling your site's content. They're your first line of defense against common web attacks — and most websites are missing at least half of them.

The good news? Adding security headers is usually a quick server configuration change that takes minutes, not hours.

Check your security headers now

Foglift's Website Audit checks your security headers and scores them against best practices. Try it free — no signup required.

Free Website Audit

The 6 essential security headers

1. Strict-Transport-Security (HSTS)

HSTS tells browsers to always use HTTPS when connecting to your site. Without it, attackers can intercept the initial HTTP request before the redirect to HTTPS happens (a "man-in-the-middle" attack).

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Impact: Critical. This header prevents SSL stripping attacks and ensures all communication is encrypted. Set max-age to at least one year (31536000 seconds).

2. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources (scripts, styles, images) the browser is allowed to load, preventing XSS attacks by blocking injected malicious scripts.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'

Impact: Critical. CSP is your primary defense against cross-site scripting (XSS). Start with a restrictive policy and loosen as needed.

3. X-Content-Type-Options

This header prevents browsers from "sniffing" the MIME type of a response, which can be exploited to execute malicious files disguised as harmless content types.

X-Content-Type-Options: nosniff

Impact: High. It's a one-line addition with no downsides. There's no reason not to include it.

4. X-Frame-Options

Prevents your site from being embedded in an iframe on another domain, protecting against clickjacking attacks where users think they're clicking on your site but are actually interacting with a malicious overlay.

X-Frame-Options: DENY

5. Referrer-Policy

Controls how much referrer information is sent when users click links on your site. Without it, sensitive URL parameters (like session tokens or internal paths) can leak to external sites.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features and APIs your site can use (camera, microphone, geolocation, etc.). This prevents malicious scripts from accessing sensitive device capabilities.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to add security headers

The implementation depends on your hosting platform:

  • Nginx: Add headers in your server block using add_header
  • Apache: Use .htaccess with Header set
  • Vercel/Netlify: Configure in vercel.json or _headers file
  • Cloudflare: Use Transform Rules or Workers
  • WordPress: Plugins like "Headers Security Advanced"

Get your security score

Foglift checks all 6 security headers and gives you a score out of 100, plus specific instructions for what's missing. Also check your SSL/TLS certificate to verify your encryption is up to date. Read our SSL certificate checker guide for more details.

Check Your Security Headers Free

Common mistakes to avoid

  • Setting HSTS max-age too low: Use at least 1 year (31536000). Shorter periods offer less protection.
  • Overly permissive CSP: Avoid unsafe-eval unless absolutely necessary. It defeats the purpose of CSP.
  • Forgetting subdomains: HSTS should include includeSubDomains to protect all subdomains.
  • Not testing after adding: Always verify headers are being sent correctly using browser DevTools or a tool like Foglift.

Frequently Asked Questions

What are the most important security headers?

+

The two most impactful are HSTS (HTTP Strict Transport Security) and Content-Security-Policy (CSP). HSTS forces all connections over HTTPS, preventing downgrade attacks. CSP prevents XSS attacks by controlling which scripts can execute on your page. Together, these two headers address the most common web vulnerabilities. After these, add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy for comprehensive protection.

Do security headers affect SEO?

+

Yes, indirectly. Google considers HTTPS as a ranking signal, and HSTS ensures all connections use HTTPS. Chrome also marks sites without proper security as 'Not Secure' — which increases bounce rates and reduces trust. While individual headers like CSP aren't direct ranking factors, the overall security posture of your site contributes to Google's assessment of trustworthiness, which aligns with the E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness) framework.

How do I check my website's security headers?

+

Run a free website audit at foglift.io — it checks all 6 critical security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) and provides a security grade from A+ to F. You can also use Chrome DevTools (F12 → Network tab → click a request → Headers) to manually inspect response headers, or use the curl command: curl -I https://yoursite.com.

Can security headers break my website?

+

Content-Security-Policy (CSP) is the most likely to cause issues if misconfigured — it can block legitimate scripts, styles, or images. Start with CSP in report-only mode (Content-Security-Policy-Report-Only) to identify what would be blocked before enforcing. The other headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) are safe to add immediately with standard configurations and rarely cause compatibility issues.

Bottom line

Security headers are one of the easiest wins in web security. Most can be added in under 10 minutes and they significantly reduce your attack surface. Start with HSTS and CSP (the two most impactful), then add the rest.

Not sure where you stand? Run a free Website Audit to see which headers you're missing and get specific recommendations for your setup.

Fundamentals: Learn about GEO (Generative Engine Optimization) and AEO (Answer Engine Optimization) (the two frameworks for optimizing your content for AI search engines).

Related reading

SSL Certificate Checker

Verify your SSL setup

Technical SEO Audit

Security in your SEO audit

Website Health Check

Full health assessment

Free tool

Run a free Technical Audit for your AI Readiness Score

Audit any URL in 30 seconds. See scores for SEO, AI Readiness, performance, security, and accessibility.

Free Technical Audit

No signup required. Results in 30 seconds.