Skip to content
Start free scan
  1. Home
  2. /Knowledge Base
  3. /Security headers: which ones does your website need?
Security headers: which ones does your website need?

Security headers: which ones does your website need?

3 min read below · WebYes knowledge base

Security headers protect visitors against eavesdropping, XSS and clickjacking. Find out which headers you need and how to set them up safely.

Security headers are instructions your server sends along with every page, telling the browser how to treat your site safely: load it over HTTPS only, refuse scripts from unknown sources, never show it inside another site's frame. They cost nothing and block an entire class of attacks.

  • What do security headers actually do?
  • The key headers at a glance
  • CSP: the most powerful, and the trickiest
  • How to check and configure them
  • Related articles
  • FAQ

On this page

  • What do security headers actually do?
  • The key headers at a glance
  • CSP: the most powerful, and the trickiest
  • How to check and configure them
  • Related articles
  • FAQ

Read more

Free WebYes scan is live: test your site on four pillars

You can now scan any website for free on speed, security, mobile and accessibility. Here is how the scan works and what we do with the results.

Share this article

Share on LinkedInShare on X

What do security headers actually do?

Every time a browser requests a page, the server sends a set of headers alongside the HTML: short lines of instructions. Some of them concern security. They determine, for instance, whether the browser may ever access the site over unencrypted HTTP again, which scripts are allowed to run and whether other sites may embed your pages in a frame.

What makes them special is that the protection happens on the visitor's side. Even if an attacker manages to get malicious code onto your page, a properly instructed browser can refuse to execute it. Headers act as a safety net for mistakes elsewhere in the site.

The key headers at a glance

Six headers together cover most of the risk. These are the ones the WebYes scan checks within the security pillar:

Security headers and what they protect against
HeaderProtects againstCommon setting
Strict-Transport-Security (HSTS)Eavesdropping over unencrypted HTTPmax-age of at least one year
Content-Security-Policy (CSP)Cross-site scripting (XSS), injection of foreign scriptsSite-specific; start with a report-only test
X-Content-Type-OptionsMIME sniffing (executing files as something else)nosniff
X-Frame-Options / frame-ancestorsClickjacking through hidden framesDENY or SAMEORIGIN
Referrer-PolicyLeaking URL data to third partiesstrict-origin-when-cross-origin
Permissions-PolicyUnwanted use of camera, microphone or locationAllow only what the site actually uses

CSP: the most powerful, and the trickiest

The Content-Security-Policy deserves separate attention. This header defines, per resource type (scripts, styles, images, frames), which domains are allowed. A strict CSP makes cross-site scripting nearly impossible, because the browser simply refuses to run scripts from sources that are not on the list.

That same power makes CSP the header that most often breaks something. Forget the domain of your analytics script or embedded video and that part stops working. So always start with Content-Security-Policy-Report-Only: the browser then reports violations without blocking anything, letting you tighten the policy before it actually enforces.

How to check and configure them

Where you set headers depends on your setup: in the server configuration (Apache, nginx), at your CDN or hosting plan, or in your framework. For most sites it is a few lines of configuration you add once and then leave alone, with CSP as the exception that needs maintenance whenever you add a new external service.

Checking requires no technical knowledge. The free WebYes scan tests your site's headers within the security pillar and shows the risk for each missing header. Together with a valid SSL certificate, headers form the foundation of the security score.

Related articles

SSL certificate: why your website needs HTTPS

SSL certificate: why your website needs HTTPS

An SSL certificate encrypts traffic between visitor and website. Read how HTTPS works, which certificate types exist and how to check your site.

Frequently asked questions

Can security headers break my site?

Most headers are risk-free to enable: HSTS, nosniff and Referrer-Policy change nothing about how your site works. Only the Content-Security-Policy can block parts that load from external sources. Test it in report-only mode first before enforcing it.

Are security headers legally required?

No law prescribes specific headers. The GDPR does require appropriate protection of personal data; a site offering forms or accounts without basics such as HTTPS and HSTS can be held to that. In practice, headers are simply the cheapest security win available.

My site already runs on HTTPS. Why would I still need HSTS?

Without HSTS, the browser first tries the unencrypted HTTP version when someone types your address, relying on a redirect. That single unencrypted request can be intercepted. HSTS makes the browser access your site directly and exclusively over HTTPS from then on.

The WebYes scan measures this too

Scan your website for free on speed, security, mobile and accessibility and see where you stand.

Start free scan
webyes

Het onafhankelijke keurmerk voor Nederlandse websites. Kalm, transparant, jaarlijks herkeurd.

Start gratis scan

Keurmerk

  • Start gratis scan
  • Hoe het werkt
  • Keurmerkregister
  • Prijzen
  • Veelgestelde vragen

Kennis

  • Kennisbank
  • Blog
  • Jaarrapport

Bedrijf

  • Over ons
  • Contact
  • Mijn account

Juridisch

  • Privacybeleid
  • Algemene voorwaarden
  • Cookies
© 2026 WebYesGebouwd in Nederland.

Jaarrapport in de maak. In de maak: het jaarrapport over de staat van het Nederlandse web. Lees meer →

webyes
WerkwijzePrijzenRegisterKennisbankOver ons
InloggenStart gratis scan