5 Security Headers Every Website Should Have (And How to Check Them)
If you run a website, security headers are your first line of defense against common web attacks. But according to recent scans, over 70% of websites are missing critical security headers.
Here are the 5 headers that matter most:
1. Strict-Transport-Security (HSTS)
Forces HTTPS connections and prevents downgrade attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains
2. Content-Security-Policy (CSP)
Prevents XSS attacks by controlling which resources can load.
Content-Security-Policy: default-src 'self'
3. X-Frame-Options
Protects against clickjacking by controlling iframe embedding.
X-Frame-Options: SAMEORIGIN
4. X-Content-Type-Options
Prevents MIME-type sniffing attacks.
X-Content-Type-Options: nosniff
5. Referrer-Policy
Controls how much referrer information is shared.
Referrer-Policy: strict-origin-when-cross-origin
How to Check Your Site Instantly
I built a free web security scanner that checks all these headers (and more) in under 30 seconds:
Just replace the URL with your site and it'll generate a full report with risk scoring and fix recommendations.
For teams needing deeper analysis, there's a Pro version with unlimited scans, PDF reports, and API access for CI/CD pipelines: Get WebSec Scanner Pro
Quick Summary
| Header | Purpose | Risk if Missing |
|---|---|---|
| HSTS | Force HTTPS | Medium (downgrade attacks) |
| CSP | Block XSS | High (injection attacks) |
| X-Frame-Options | Prevent clickjacking | Medium (UI redressing) |
| X-Content-Type-Options | Stop MIME sniffing | Medium (drive-by downloads) |
| Referrer-Policy | Control referrer data | Low (information leakage) |
Don't wait for an attack to find out your headers are missing. Check them today.
Have questions about web security? Drop them in the comments below!
Top comments (0)