Security headers are the fastest way to improve your website's security posture. Here's what each one does, why it matters, and the exact code to add it.
When your web server responds to a browser request, it sends back HTTP headers alongside the page content. Most of these are invisible to users — they tell the browser things like "this content is HTML" or "cache this for 24 hours."
Security headers are a special category that tell the browser how to handle your content securely. They're one of the fastest, lowest-risk ways to improve your security posture — typically a single line of configuration per header.
What it does: Tells browsers to always use HTTPS for your domain, even if the user types http://. Prevents SSL stripping attacks.
Recommended value:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
What the options mean:
max-age=31536000 — remember this for 1 yearincludeSubDomains — apply to all subdomains toopreload — submit to the HSTS preload list (browsers will enforce HTTPS before even making a request)Risk level to add: Very low. Just make sure your HTTPS is working correctly first.
What it does: Defines which sources of content (scripts, styles, images, fonts) are allowed to load on your page. Prevents cross-site scripting (XSS) attacks.
Starter value:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;
Risk level to add: Medium. A too-strict CSP can break your site. Start permissive and tighten over time. Use Content-Security-Policy-Report-Only first to see what would be blocked.
What it does: Prevents your page from being embedded in an <iframe> on another site. Stops clickjacking attacks where attackers overlay invisible frames on legitimate pages to trick users into clicking things.
Recommended value:
X-Frame-Options: DENY
X-Frame-Options: DENY
Or if you need to allow framing from your own domain:
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
Risk level to add: Very low.
What it does: Prevents browsers from "MIME sniffing" — guessing the content type of a response. Without this, a browser might execute a text file as JavaScript if it looks like code.
Value (only one option):
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Risk level to add: Very low.
What it does: Controls how much referrer information is included when users click links from your site to other sites. Prevents leaking sensitive URL parameters (like session tokens or search queries) to third parties.
Recommended value:
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: strict-origin-when-cross-origin
Risk level to add: Very low.
What it does: Controls which browser features (camera, microphone, geolocation, payment) your page can use. Prevents malicious third-party scripts from silently accessing these features.
Recommended value:
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Risk level to add: Low. Adjust if your site legitimately uses these features.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Use Cloudflare's "Modify Response Header" Transform Rule to add headers without touching your server.
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});
Or use the helmet package which sets sensible defaults automatically.
After adding headers, run a free scan at WebGuard [blocked] to verify they're correctly configured and see your updated security score.
Free scan, no account required. See exactly which issues affect your site.
Start Free ScanFrom DV to EV certificates, Let's Encrypt to paid CAs — everything UK website owners need to know about choosing, installing, and maintaining SSL/TLS certificates.
CSP and HSTS together block the majority of injection attacks and protocol downgrade attacks. Here's how to implement both correctly without breaking your site.
Email spoofing costs UK businesses millions each year. SPF, DMARC, and DKIM are the three DNS records that stop attackers from impersonating your domain. Here's how to set them up.