HTTP security headers, explained
Security headers are small instructions your site sends with every response that tell browsers how to behave more safely. They're free to add and close off whole categories of attacks. Here are the ones that matter.
The headers worth setting
Strict-Transport-Security (HSTS) forces browsers to use HTTPS, preventing downgrade attacks. Content-Security-Policy (CSP) limits what scripts and resources can load, mitigating cross-site scripting. X-Frame-Options stops your site being framed for clickjacking.
X-Content-Type-Options stops MIME-sniffing, Referrer-Policy controls how much referrer information leaks, and Permissions-Policy restricts powerful browser features.
Why they matter
Missing security headers are one of the most common findings in any security scan — they're easy wins that many sites simply never configure. Each one removes an avenue an attacker might otherwise use.
You can check which headers your own site sets with our free scanner in a few seconds.
Headers plus a firewall
Security headers harden the browser side; a WAF hardens the server side by filtering malicious requests. Together they're a strong, low-effort baseline — and both are things we help you get right.