What is Security Headers?

Security headers are HTTP response headers that tell browsers how to harden your site against common attacks. The main six are Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each adds a specific defense with minimal configuration.

In more detail

Security headers are cheap insurance. They defend against attacks (XSS, clickjacking, MIME-sniffing, SSL stripping, info leakage) that rely on browser behavior you can change with one header. Most sites have 0 or 1 of the 6; adding the remaining 5 takes an hour and blocks a meaningful slice of web attacks.

They are applied at the framework level (Next.js `headers()` in next.config.js), the host level (Vercel, Cloudflare), or the web server level (nginx, Apache).

Why this matters

Why builders care

Security headers are the fastest way to improve your SafeToShip score. They require no code changes and no new dependencies — just a few lines in your hosting config. Every missing header is a finding; every present one is a point.

Fix guides

Fix Security Headers issues

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Read more

Missing X-Content-Type-Options

X-Content-Type-Options: nosniff stops browsers from guessing file types and executing uploads as scripts. Every site should send it — here is how.

Read more

Missing Referrer-Policy

Referrer-Policy controls how much URL information leaks when users click links out of your site. The default leaks too much. Here is what to set instead.

Read more

Missing Permissions-Policy

Permissions-Policy controls which browser features (camera, microphone, geolocation) your site and its iframes can use. Default-allow is unsafe — lock it down.

Read more

Free tools

Check it yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Read more

Related terms

Keep learning

Content Security Policy

CSP is a browser feature that tells your site which scripts, styles, and images are allowed to run. It is the main defense against cross-site scripting (XSS).

Read more

HTTP Strict Transport Security

HSTS is an HTTP response header that tells browsers to only connect to your site over HTTPS, even if a user types `http://`. It stops SSL stripping attacks.

Read more

X-Frame-Options

A response header that stops other sites from embedding your page in an iframe, preventing clickjacking attacks.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.