Modern websites use HTTPS encryption, but encryption alone does not fully protect users or websites. Browsers also need instructions about how they should treat a site and its resources. These instructions are delivered through HTTP security headers.
Security headers are pieces of information sent by a web server in the HTTP response. They instruct the browser how to handle security-sensitive situations such as mixed content, framing, referrers, and access to device features.
Properly configured headers improve browser security, reduce attack surface, and help vulnerability scanners recognize the site as properly hardened.
What Security Headers Are
When a browser requests a webpage, the server responds with two main elements:
- The page content (HTML, CSS, JavaScript)
- HTTP response headers
Example header:
Strict-Transport-Security: max-age=31536000This header tells the browser that the website must only be accessed using HTTPS. Once received, the browser remembers the rule and automatically enforces it.
Security headers therefore act as browser-level security policies.
Common Security Headers Used by Websites
Strict-Transport-Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomainsPurpose
Forces browsers to always use HTTPS instead of HTTP when connecting to the site.
Advantages
- Prevents SSL stripping attacks
- Ensures encrypted connections
- Enforces HTTPS usage
X-Frame-Options
X-Frame-Options: SAMEORIGINPurpose
Prevents other websites from embedding your website inside an iframe.
Advantages
- Protects against clickjacking attacks
- Prevents malicious pages from hiding your site inside invisible frames
X-Content-Type-Options
X-Content-Type-Options: nosniffPurpose
Stops browsers from guessing file types.
Advantages
- Prevents malicious scripts disguised as other file types
- Improves MIME type security
Referrer-Policy
Referrer-Policy: strict-origin-when-cross-originPurpose
Controls how much information the browser sends when navigating to another website.
Advantages
- Reduces leakage of sensitive URL data
- Improves user privacy
Content-Security-Policy (CSP)
Content-Security-Policy: upgrade-insecure-requestsPurpose
Defines which resources the browser is allowed to load.
Advantages
- Helps prevent cross-site scripting (XSS) attacks
- Controls external scripts and resources
- Prevents mixed HTTP and HTTPS content
Permissions-Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()Purpose
Controls access to browser and device features.
Advantages
- Disables access to camera, microphone, GPS, and other sensors
- Reduces browser attack surface
Cross-Origin-Opener-Policy (COOP)
Cross-Origin-Opener-Policy: same-originPurpose
Isolates the website from other browsing contexts opened in separate tabs or windows.
Advantages
- Prevents certain cross-origin attacks
- Improves browser isolation
How to Check What Security Headers Your Website Uses
Before implementing or modifying security headers, it is useful to check which headers your website already sends to visitors. There are several simple methods to inspect HTTP response headers.
Using an Online Security Header Scanner
One of the easiest methods is using a security testing website. A popular option is the service provided by SecurityHeaders.com.
This service is operated by the organization Mozilla, the developer of the Firefox browser.
To test a site:
- Open securityheaders.com
- Enter your website domain
- Run the scan
The tool analyzes your HTTP response headers and assigns a security rating based on recommended best practices.
Using a Vulnerability Scanner
Security scanners can also detect missing headers. For example, the developer security platform Snyk includes web vulnerability scanning features that report missing or misconfigured security headers.
These scanners can also detect TLS configuration issues and other security misconfigurations.
Checking Headers in the Browser
Headers can also be viewed directly in the browser developer tools.
Example procedure:
- Open your website in the browser
- Press F12 to open developer tools
- Open the Network tab
- Select the main page request
- View the Response Headers section
This method shows the exact headers received by the browser.
How to Implement Security Headers
Security headers can be implemented in several ways depending on the server environment:
- Web server configuration
- .htaccess file (Apache)
- Reverse proxy configuration
- Content delivery network configuration
- Application framework settings
On shared hosting environments, the easiest approach is usually modifying the .htaccess file.
Example Implementation Using .htaccess
Add the following configuration above the WordPress section in the .htaccess file:
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set Permissions-Policy "accelerometer=(), autoplay=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
Header always set Cross-Origin-Opener-Policy "same-origin"
</IfModule>This configuration provides a safe baseline security policy suitable for many websites.
Security Headers Provided by Hosting Platforms and CDNs
In many cases, website owners do not need to manually configure every security header. Modern hosting providers and content delivery networks often apply security headers automatically.
Some hosting platforms include built-in security hardening that automatically sends recommended headers to visitors. For example, the hosting provider WebHostMost already adds several common security headers at the server level for hosted websites.
Content delivery networks such as Cloudflare can also manage certain security policies. When a site is proxied through Cloudflare, TLS versions, cipher suites, and HTTPS enforcement may be controlled by Cloudflare rather than the origin server.
Because security headers can be set at multiple layers (server, CDN, or application), it is common for scanners to detect headers that were not explicitly configured within the website’s own files.
Advantages of Using Security Headers
Improved Browser Security
Browsers receive clear rules on how to handle scripts, framing, external resources, and device access.
Protection Against Common Attacks
- Clickjacking
- Cross-site scripting (XSS)
- Content sniffing attacks
- SSL stripping attacks
Better Security Ratings
Security scanners evaluate response headers when assessing website security. Properly configured headers can improve security ratings in vulnerability scanners and testing tools.
Reduced Browser Attack Surface
Policies such as Permissions-Policy and Content-Security-Policy limit access to browser features and external resources, reducing possible attack vectors.
Compatibility Considerations
Some headers require careful configuration.
- Strict Content Security Policy rules may block scripts or styles
- Cross-Origin-Embedder-Policy may break third-party integrations
- Incorrect HSTS preload configuration may lock a domain to HTTPS permanently
For most websites, a minimal security header configuration is recommended initially, followed by gradual tightening after testing.
Conclusion
Security headers are an important part of modern web security. They allow servers to instruct browsers how to handle content, connections, and external resources.
Even a basic configuration can significantly improve browser security while maintaining compatibility with common website platforms and hosting environments.