HTTP security headers are your website's first line of defense against common attacks. They're free to implement, take minutes to configure, and protect every visitor automatically. Yet most websites are missing the majority of them.
Why Security Headers Matter
Security headers instruct browsers on how to handle your content. Without them, browsers use permissive defaults that leave your visitors vulnerable to:
- Cross-site scripting (XSS) — Attackers injecting malicious scripts
- Clickjacking — Your site being embedded in hidden frames
- MIME sniffing attacks — Browsers misinterpreting file types
- Data leakage — Sensitive information exposed via referrer headers
The 10 Essential Headers
1. Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for all future visits.
Strict-Transport-Security: max-age=31536000; includeSubDomains
2. Content-Security-Policy (CSP)
Controls which resources browsers can load. The most powerful security header.
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'
3. X-Frame-Options
Prevents your site from being embedded in iframes (clickjacking protection).
X-Frame-Options: DENY
4. X-Content-Type-Options
Stops browsers from MIME-sniffing responses.
X-Content-Type-Options: nosniff
5. Referrer-Policy
Controls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-origin
6. Permissions-Policy
Restricts which browser features your site can use (camera, microphone, geolocation).
Permissions-Policy: camera=(), microphone=(), geolocation=()
7. Cross-Origin-Opener-Policy (COOP)
Isolates your browsing context from cross-origin windows.
Cross-Origin-Opener-Policy: same-origin
8. Cross-Origin-Resource-Policy (CORP)
Controls which origins can load your resources.
Cross-Origin-Resource-Policy: same-origin
9. Cross-Origin-Embedder-Policy (COEP)
Requires all resources to be loaded with CORS or be same-origin.
Cross-Origin-Embedder-Policy: require-corp
10. X-XSS-Protection
Legacy XSS filter for older browsers.
X-XSS-Protection: 1; mode=block
How to Check Your Headers
You can use WebMon's free Website Analyzer to scan any website and get a security headers grade from A+ to F. It checks all 10 headers and provides specific recommendations for any that are missing.
Implementation Tips
- Start with the easy wins: X-Content-Type-Options, X-Frame-Options, and Referrer-Policy take seconds to add
- CSP needs careful planning: Start with report-only mode to avoid breaking your site
- Test after deployment: Use the Website Analyzer to verify headers are correctly set
- Monitor for changes: Security headers can be accidentally removed during deployments
Conclusion
Implementing all 10 security headers typically takes less than an hour and dramatically improves your website's security posture. Use WebMon's Website Analyzer to check your current grade, then work through the list. Your visitors (and Google) will thank you.