How to Fix Missing Security Headers on Your Website

Why Security Headers Matter

HTTP security headers are one of the easiest and most effective ways to protect your website from common attacks like cross-site scripting (XSS), clickjacking, and data injection. Yet a surprising number of websites — even major ones — are missing critical headers.

When you scan your site with WebSentry, missing security headers are one of the most common reasons for a low grade. The good news? They're straightforward to fix.

The Essential Security Headers

Here are the security headers every website should implement, in order of importance:

1. Strict-Transport-Security (HSTS)

HSTS tells browsers to only communicate with your site over HTTPS, preventing protocol downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The max-age value is in seconds — 63072000 equals two years. The includeSubDomains directive applies the policy to all subdomains, and preload allows your domain to be included in browsers' built-in HSTS lists.

2. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources (scripts, styles, images, fonts) can load on your page, effectively preventing XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com

Tip: Start with a restrictive policy and use Content-Security-Policy-Report-Only to test before enforcing.

3. X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content type. This single header stops a whole class of attacks.

X-Content-Type-Options: nosniff

4. X-Frame-Options

Prevents your site from being embedded in iframes, which protects against clickjacking attacks.

X-Frame-Options: DENY

Use DENY for maximum protection, or SAMEORIGIN if you need to iframe your own pages.

5. Referrer-Policy

Controls how much referrer information is sent when navigating from your site. This prevents leaking sensitive data in URLs.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your site can use. Disable features you don't need:

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Headers on Different Platforms

Nginx

server {
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "default-src 'self'" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
}

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Cloudflare Workers / Pages

// In your _headers file or Worker response:
const headers = {
  'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
  'Content-Security-Policy': "default-src 'self'",
  'X-Content-Type-Options': 'nosniff',
  'X-Frame-Options': 'DENY',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};

Vercel (vercel.json)

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" }
      ]
    }
  ]
}

Verify Your Headers

After adding headers, run a WebSentry audit to verify everything is configured correctly. The scanner checks all major security headers and flags any that are missing or misconfigured.

A properly configured site should score an A or A+ grade on the headers check.