PageScore
← Back to Blog
Security2026-03-1910 min read

Why Your Website Security Headers Matter (And How to Check Them)

Learn what security headers are, why they matter, and how to implement the 6 essential headers that protect your site and visitors.

What Are Security Headers?

Security headers are instructions your web server sends to the browser along with your page content. They tell the browser how to handle your site's data and what to allow or block.

Think of them as rules of engagement: "Only load resources from these domains," "Don't let other sites embed me in a frame," "Always use HTTPS."

Without these headers, browsers use their default behaviour - which is typically very permissive. That permissiveness is what attackers exploit.

The 6 Essential Security Headers

1. Strict-Transport-Security (HSTS)

What it does: Forces browsers to always use HTTPS, even if someone types http:// or clicks an old HTTP link. Why it matters: Without HSTS, the first request to your site might go over HTTP (unencrypted), which creates a window for man-in-the-middle attacks. HSTS eliminates that window. How to implement:

For Nginx: 

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

For Apache (.htaccess): 

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

For Express.js: 

app.use((req, res, next) => {   res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');   next(); });

2. Content-Security-Policy (CSP)

What it does: Controls which resources (scripts, styles, images, fonts) the browser is allowed to load on your page. Why it matters: CSP is your primary defence against Cross-Site Scripting (XSS) attacks. If an attacker injects malicious JavaScript into your page, CSP can prevent the browser from executing it. A basic starting policy: 
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https:; font-src 'self'

This says: only load resources from my own domain, with the exception of images from any HTTPS source and inline styles.

Note: CSP can break things if configured too strictly. Start with a report-only mode to see what would be blocked before enforcing.

3. X-Frame-Options

What it does: Prevents your site from being embedded in iframes on other domains. Why it matters: Without this, attackers can overlay your site with invisible elements (clickjacking) to trick users into clicking things they didn't intend to. Implementation: 
X-Frame-Options: DENY

Or if you need to allow your own site to use iframes: 

X-Frame-Options: SAMEORIGIN

4. X-Content-Type-Options

What it does: Prevents the browser from "sniffing" the content type of a response, forcing it to use the declared Content-Type. Why it matters: Without this, a browser might interpret a malicious file as executable JavaScript, even if the server said it was a plain text file. Implementation: 
X-Content-Type-Options: nosniff

This is the simplest header to implement - just one line, no configuration needed.

5. Referrer-Policy

What it does: Controls how much information about the referring page is sent when a user clicks a link from your site to another site. Why it matters: By default, the full URL (including query parameters) is sent as the Referrer header. If your URLs contain sensitive information (user IDs, tokens, search queries), this leaks to third-party sites. Recommended setting: 
Referrer-Policy: strict-origin-when-cross-origin

This sends the full referrer for same-site requests but only the origin (domain) for cross-site requests.

6. Permissions-Policy

What it does: Controls which browser features (camera, microphone, geolocation, etc.) your site is allowed to use. Why it matters: Even if your site doesn't use the camera, a compromised third-party script could try to access it. Permissions-Policy explicitly blocks features you don't need. Implementation: 
Permissions-Policy: camera=(), microphone=(), geolocation=()

This blocks camera, microphone, and geolocation access entirely.

How to Check Your Headers

You can check your security headers manually using browser DevTools (Network tab, click any request, look at Response Headers). But it's tedious and easy to miss things.

PageScore checks all of these headers automatically as part of its security audit category. Enter any URL and you'll see exactly which headers are present, which are missing, and the specific code to add them.

Check your security headers now at pagescore.dev - free, instant, no signup required.

Try PageScore for free

Audit any website in 30 seconds. No signup required.

Start Free Audit