What Security Headers Does Your Site Actually Need?

If you run a website, there's a good chance you're missing security headers that take 5 minutes to add but dramatically reduce your attack surface. We scanned 1,000 sites and found that 78% were missing at least one critical security header.

The headers that actually matter

Let's skip the theory and focus on what you should actually set. These are ordered by impact — fix the top ones first.

1. Strict-Transport-Security (HSTS)

This tells browsers to always use HTTPS, preventing protocol downgrade attacks and cookie hijacking. Without it, an attacker on the same network can intercept the initial HTTP request before the redirect to HTTPS.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The max-age=31536000 tells browsers to remember this for one year. includeSubDomains extends protection to all subdomains. preload lets you submit your site to the browser preload list so even the first visit is protected.

2. Content-Security-Policy (CSP)

CSP is your primary defence against cross-site scripting (XSS). It tells the browser which sources are allowed to load scripts, styles, images, and other resources. A missing CSP is the single most common security header issue we find.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com

Start restrictive and loosen as needed. Use report-uri or report-to directives to monitor violations before enforcing. Many teams run CSP in report-only mode for weeks before switching to enforcement.

3. X-Content-Type-Options

This prevents browsers from MIME-sniffing a response away from the declared content type. Without it, a file served as text/plain could be interpreted as JavaScript.

X-Content-Type-Options: nosniff

4. X-Frame-Options

Prevents your site from being embedded in iframes on other domains, which is the basis of clickjacking attacks. While CSP's frame-ancestors directive is the modern replacement, X-Frame-Options provides backward compatibility.

X-Frame-Options: DENY

5. Referrer-Policy

Controls how much referrer information is sent when navigating to other sites. Without it, full URLs (potentially containing tokens, user IDs, or search queries) are leaked to third parties.

Referrer-Policy: strict-origin-when-cross-origin

How to add these headers

Where you add these depends on your stack. In Nginx, add them to your server block. In Cloudflare, use Transform Rules. In Vercel or Netlify, use the headers config file. In Express, use the helmet middleware. The values are the same everywhere — it's just the mechanism that differs.

Check your site now

Want to see which headers your site is missing? Run a free scan with KrakenProbe — it checks all of these headers plus TLS configuration, DNS security, vulnerable JavaScript libraries, and more. You'll have results in seconds.