Website security headers, explained (for people who aren't developers)
Security headers are short instructions your website sends to every visitor's browser, switching on extra protections. They're free, invisible to visitors — and most small-business sites are missing several of them.
What is an HTTP security header?
Every time someone opens your site, your server sends back the page along with a set of headers — behind-the-scenes notes to the browser. A security header is one of those notes that says, in effect, "browser, please enforce this protection while you display my site." They don't change how your site looks. They close off common ways an attacker can abuse it — and adding them is usually a config change, not a rebuild.
The headers that matter, and what each one does
Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS for your site, even if someone types or clicks a plain http:// link. It closes the brief window where a first request could go out unencrypted.
Strict-Transport-Security: max-age=31536000; includeSubDomainsContent-Security-Policy (CSP)
The powerful one. It tells the browser exactly which sources of scripts, styles and images are allowed to load — so if an attacker manages to inject a malicious script, the browser simply refuses to run it. CSP is the strongest defense against cross-site scripting (XSS). It takes some tuning to get right, which is precisely why so many sites skip it.
X-Frame-Options (and CSP frame-ancestors)
Stops other websites from loading yours inside a hidden frame to trick your visitors into clicking things they can't see (clickjacking).
X-Frame-Options: DENYX-Content-Type-Options
A single line that stops browsers from "guessing" a file's type and accidentally treating, say, an uploaded image as a script.
X-Content-Type-Options: nosniffReferrer-Policy
Controls how much of your page's address is shared with the other sites your visitors click through to. A sensible default:
Referrer-Policy: strict-origin-when-cross-originHow to check which ones you're missing
- Free online graders. Paste your domain into a tool like securityheaders.com and you'll get a letter grade plus the exact list of headers you have and the ones you don't.
- Your browser's developer tools. Open DevTools → Network tab → click the first request → Headers. You'll see exactly what your server is sending today.
How to add them
Where you add headers depends on how your site is served:
- Behind a CDN or proxy (Cloudflare and similar): add response headers in its dashboard — often the quickest route.
- On your own server: set them in your web-server config (Nginx
add_header, ApacheHeader set). - In your app or framework: most frameworks have a one-line middleware or a small security package that adds the common headers for you.
max-age period. Make sure HTTPS works everywhere on your site before you enable it, or start with a short max-age and raise it once you're confident.
Set them once, then keep watching
Headers are easy to add and just as easy to lose. A framework upgrade, a new CDN rule, a rewritten server config — any routine change can quietly drop a header you set months ago, and nothing will warn you. Re-checking by hand is the step everyone forgets.
Let secscout keep an eye on your headers
secscout checks your security headers every week, tells you the exact header to add for each gap in plain English, and flags it the moment one you'd fixed regresses — alongside certificate, exposed-port and software checks and an A–F grade.
Get started — $10/moCancel anytime · passive, read-only checks on domains you've verified you own