How do I add security headers to my site?

In Apache via .htaccess with mod_headers, in Nginx with add_header directives, or through code (PHP middleware, Node.js helmet). Check the result at https://subs.gr/tools/security-headers.

Which security header is most important?

HSTS (Strict-Transport-Security) for HTTPS enforcement and Content-Security-Policy (CSP) for XSS protection are the two most critical. Start with HSTS and X-Frame-Options as they're easy to configure without risk.

SSL & Security 6 min read

What Are HTTP Security Headers and How to Configure Them

Q: What are HTTP security headers?

HTTP security headers are response headers sent by your server to tell the browser how to enforce security policies: where resources can load from (CSP), whether to force HTTPS (HSTS), whether the page can be framed (X-Frame-Options), and more.

Complete guide to HTTP security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — what each one does and how to add them to your server.

What Are HTTP Security Headers?

HTTP security headers are response headers your server sends with every request, telling the browser how to handle your content safely. They don't replace SSL — they add extra layers of protection against XSS, clickjacking, data injection and other attacks.

Google, Mozilla and OWASP all strongly recommend them. Sites without them receive low security scores from tools like the Security Headers Checker.

The 7 Essential Security Headers

1. Strict-Transport-Security (HSTS)

Tells the browser to use HTTPS only for your domain — even if the user types http://. Eliminates SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age: seconds the browser remembers (31536000 = 1 year)
includeSubDomains: also applies to all subdomains
preload: registers for the HSTS preload list (don't add unless you're ready)

⚠️ Warning: Before enabling HSTS, make sure HTTPS works everywhere on your site — you can't easily roll back to HTTP afterwards.

2. Content-Security-Policy (CSP)

The most powerful header — defines exactly where scripts, styles, images and fonts are allowed to load from. Largely prevents XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; img-src *

Start with Content-Security-Policy-Report-Only to see violations without breaking anything before enforcing fully.

3. X-Frame-Options

Prevents your site from being loaded inside an <iframe> on another domain (clickjacking). Technically superseded by CSP's frame-ancestors but still needed for older browsers.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

4. X-Content-Type-Options

Stops the browser from MIME type sniffing — the browser follows exactly the Content-Type you declare instead of guessing.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls what URL is sent in the Referer header when a user clicks an external link. Protects URL parameters containing sensitive data.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls access to browser APIs (camera, microphone, geolocation, fullscreen). Replaces the old Feature-Policy.

Permissions-Policy: camera=(), microphone=(), geolocation=()

7. Cross-Origin Headers (COOP/COEP/CORP)

A trio of headers for tab isolation from other origins — required if you use SharedArrayBuffer or performance.measureUserAgentSpecificMemory().

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin

Check which security headers your site has or is missing:

→ Security Headers Checker

How to Add Headers to Your Server

Apache (.htaccess)

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

PHP (Laravel)

In middleware or bootstrap/app.php:

$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');

Security Score — What It Means

Score	Status	What's missing?
A / A+	Excellent	All key headers present
B	Good	Missing CSP or HSTS without preload
C / D	Fair	Several headers absent
F	Poor	No security headers configured

Frequently Asked Questions

Are security headers mandatory?

Not technically, but without them your site is exposed to XSS, clickjacking and other attacks. Google Chrome shows warnings and security scanners give low scores, which can affect user trust and conversions.

Can CSP break my site?

Yes, if misconfigured — inline scripts or external CDNs will be blocked. Always use Content-Security-Policy-Report-Only first to see violations without blocking anything.

What's the difference with HSTS preload?

With preload, your domain is hardcoded into browsers — even the first visit is HTTPS before the browser sees the header. Don't enable it unless you're 100% committed to HTTPS permanently.

Do security headers affect SEO?

Indirectly yes — HSTS helps Google index your site faster. X-Frame-Options prevents unauthorized embedding. Mainly they affect trust signals and security ratings that can impact conversions.

Try it now

Security Headers HSTS, CSP, X-Frame-Options and other HTTP security headers

Related guides

All guides