Every time someone visits your website, your server sends back more than just the page content. It also sends headers — invisible instructions that tell the browser how to behave. Security headers are specific headers that protect your visitors from attacks. Without them, your site is unnecessarily vulnerable.
Think of security headers like locks on different doors in a house. The house (your website) might look fine from the outside, but without locks, anyone can walk in through the side entrance.
The headers that matter most
Strict-Transport-Security (HSTS)
What it does: Tells browsers "always use HTTPS when visiting my site, even if someone types http://." Without this, an attacker on the same network could intercept the initial HTTP request before it redirects to HTTPS.
In plain English: It's like telling visitors "only use the secure entrance." Even if they try the insecure one, the browser automatically sends them to the right door. This works hand-in-hand with having HTTPS enabled.
X-Content-Type-Options
What it does: Prevents browsers from "sniffing" file types. Without this header, a browser might look at a file labeled as text and decide to run it as JavaScript instead. Attackers exploit this to execute malicious code.
In plain English: It tells the browser "if I say a file is a picture, treat it as a picture — don't try to guess." The only value is nosniff.
X-Frame-Options
What it does: Prevents other websites from embedding your site inside a frame. Without this, an attacker could create a page that loads your site in an invisible frame, overlaying fake buttons on top. When visitors click what looks like your button, they're actually clicking the attacker's button.
In plain English: It stops other sites from putting a fake frame around your website to trick people. Set it to SAMEORIGIN (only your own site can frame your pages) or DENY (nobody can).
Content-Security-Policy (CSP)
What it does: Tells the browser which scripts, styles, images, and other resources are allowed to load on your pages. This is the most powerful security header — it can prevent entire categories of attacks by blocking unauthorized scripts from running.
In plain English: It's a guest list for your website. Only scripts and resources you've explicitly approved can run. Everything else gets blocked. This is the most complex header to configure, but even a basic policy is better than none.
Referrer-Policy
What it does: Controls what information is sent when a visitor clicks a link from your site to another site. By default, the full URL of your page is shared. This can leak private information if your URLs contain user IDs, search terms, or other sensitive data.
In plain English: It controls how much your site "tells" other sites about where visitors came from. Set to strict-origin-when-cross-origin for a good balance of privacy and functionality.
Permissions-Policy
What it does: Controls which browser features (camera, microphone, geolocation, etc.) your site can use. If your site doesn't need the camera, why leave it accessible? An attack through a compromised script could exploit browser features you never intended to use.
In plain English: It turns off browser features your site doesn't need, so they can't be misused.
How to add security headers
Apache (.htaccess)
If you're on shared hosting with Apache, add these lines to your .htaccess file in your site's root directory. Most hosting providers support this.
Nginx
Add add_header directives in your server block. You'll need access to your Nginx configuration, which is available on VPS or dedicated hosting.
WordPress plugins
Plugins like "Headers Security Advanced & HSTS WP" or "HTTP Headers" let you add all of these headers through a dashboard interface — no server configuration required.
Cloudflare
If you use Cloudflare, you can set security headers through their dashboard under "Rules" > "Transform Rules" > "Managed Transforms." They also offer one-click HSTS enablement.
How to check your headers
Visit securityheaders.com and enter your URL. It grades your site A+ through F based on which security headers are present. Most small business sites score D or F because they haven't set up any headers.
Antileak also checks your security headers as part of the security scan and explains in plain English what's missing and why it matters.
Don't let perfect be the enemy of good. Even adding just HSTS, X-Content-Type-Options, and X-Frame-Options puts you ahead of most sites. You can add the more complex headers (like CSP) over time. Start with the easy wins — they take 5 minutes and make a real difference in your health score.