🔒 Security Headers Guide

Protect your site and boost SEO with proper security headers

🛡️ Why Security Headers Matter

🔐

Prevent Attacks

Block XSS, clickjacking, and MIME sniffing attacks

📈

SEO Ranking Signal

HTTPS is a confirmed Google ranking factor

🏆

User Trust

Build confidence with visitors through security

Compliance

Meet GDPR, PCI-DSS, and other requirements

📋 Essential Security Headers

🔐

Strict-Transport-Security (HSTS)

Critical

Forces browsers to always use HTTPS, preventing downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
🛡️

Content-Security-Policy (CSP)

Critical

Controls which resources can load, preventing XSS attacks and data injection.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
🖼️

X-Frame-Options

High

Prevents your site from being embedded in iframes, stopping clickjacking attacks.

X-Frame-Options: DENY # Or: SAMEORIGIN (allow same domain)
📄

X-Content-Type-Options

High

Prevents browsers from MIME-sniffing, reducing drive-by download attacks.

X-Content-Type-Options: nosniff
🔗

Referrer-Policy

Medium

Controls how much referrer information is sent with requests, protecting privacy.

Referrer-Policy: strict-origin-when-cross-origin
📜

Permissions-Policy

Medium

Controls which browser features your page can use (camera, mic, geolocation).

Permissions-Policy: camera=(), microphone=(), geolocation=()

⚙️ Implementation Examples

Apache (.htaccess)

# Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Content Security Policy Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Prevent MIME sniffing Header always set X-Content-Type-Options "nosniff" # Referrer Policy Header always set Referrer-Policy "strict-origin-when-cross-origin" # Permissions Policy Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Nginx Configuration

server { # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # CSP add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always; # X-Frame-Options add_header X-Frame-Options "SAMEORIGIN" always; # X-Content-Type-Options add_header X-Content-Type-Options "nosniff" always; # Referrer Policy add_header Referrer-Policy "strict-origin-when-cross-origin" always; }

Netlify (_headers file)

/* Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=()

Vercel (vercel.json)

{ "headers": [ { "source": "/(.*)", "headers": [ { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains; preload" }, { "key": "X-Frame-Options", "value": "SAMEORIGIN" }, { "key": "X-Content-Type-Options", "value": "nosniff" }, { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" } ] } ] }

🧪 Testing Your Security Headers

A+
Perfect
B
Good
C
Needs Work
D
Poor
F
Failing
🔐
SecurityHeaders.com

Free header analysis with grades

🔬
Mozilla Observatory

Comprehensive security scan

🧪
SSL Labs

SSL/TLS configuration test

📈 SEO Impact of Security

🔒

HTTPS Ranking Boost

Google confirmed HTTPS as a ranking signal in 2014. Secure sites get preference in search results.

HTTP/2 Performance

HTTPS enables HTTP/2, resulting in faster page loads and better Core Web Vitals.

🛡️

Safe Browsing

Avoid "Not Secure" warnings in Chrome that can increase bounce rates by 50%+.

📋 Security Headers Checklist

Essential

Recommended

Testing