Security HeadersHow-ToWeb Security

How to Fix Missing Security Headers on Your Website

WebSentry Team
· · 8 min read

Why Security Headers Matter

HTTP security headers are one of the easiest and most effective ways to protect your website from common attacks like cross-site scripting (XSS), clickjacking, and data injection. Yet a surprising number of websites — even major ones — are missing critical headers.

When you scan your site with WebSentry, missing security headers are one of the most common reasons for a low grade. The good news? They're straightforward to fix.

The Essential Security Headers

Here are the security headers every website should implement, in order of importance:

1. Strict-Transport-Security (HSTS)

HSTS tells browsers to only communicate with your site over HTTPS, preventing protocol downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The max-age value is in seconds — 63072000 equals two years. The includeSubDomains directive applies the policy to all subdomains, and preload allows your domain to be included in browsers' built-in HSTS lists.

2. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources (scripts, styles, images, fonts) can load on your page, effectively preventing XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com

Tip: Start with a restrictive policy and use Content-Security-Policy-Report-Only to test before enforcing.

3. X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content type. This single header stops a whole class of attacks.

X-Content-Type-Options: nosniff

4. X-Frame-Options

Prevents your site from being embedded in iframes, which protects against clickjacking attacks.

X-Frame-Options: DENY

Use DENY for maximum protection, or SAMEORIGIN if you need to iframe your own pages.

5. Referrer-Policy

Controls how much referrer information is sent when navigating from your site. This prevents leaking sensitive data in URLs.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your site can use. Disable features you don't need:

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Headers on Different Platforms

Nginx

server {
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "default-src 'self'" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
}

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Cloudflare Workers / Pages

// In your _headers file or Worker response:
const headers = {
  'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
  'Content-Security-Policy': "default-src 'self'",
  'X-Content-Type-Options': 'nosniff',
  'X-Frame-Options': 'DENY',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};

Vercel (vercel.json)

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" }
      ]
    }
  ]
}

Verify Your Headers

After adding headers, run a WebSentry audit to verify everything is configured correctly. The scanner checks all major security headers and flags any that are missing or misconfigured.

A properly configured site should score an A or A+ grade on the headers check.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
Next →
What Is HSTS and Why Your Website Needs It in 2026