When a trust scanner flags "missing security headers" for your website, it can feel like jargon. This guide explains what the main security headers actually do — in plain English, with no assumed technical background.
What Are Security Headers?
When your server sends a web page to a visitor's browser, it sends two things: the page content itself, and a set of headers — invisible instructions that tell the browser how to behave when displaying the page. Security headers are a subset of these instructions specifically designed to block common attacks.
They're free to add. They take minutes to configure. Yet the majority of websites are missing most of them.
The Headers That Matter
Content-Security-Policy (CSP) This is the most powerful security header. It tells the browser exactly where it's allowed to load content from. For example: only load scripts from your own domain and from `cdn.example.com`. This blocks **Cross-Site Scripting (XSS)** attacks, where malicious code gets injected into your page and runs in visitors' browsers.
A breach-via-XSS is how attackers steal session cookies and payment data from sites that appear perfectly normal to visitors.
Strict-Transport-Security (HSTS) This tells the browser: "This site always uses HTTPS. Even if you see an HTTP link, use HTTPS anyway." It prevents **SSL-stripping attacks** where a man-in-the-middle intercepts the initial HTTP request before your redirect kicks in.
X-Frame-Options This header prevents your website from being loaded inside an invisible `<iframe>` on an attacker's page. Without it, your site can be used in **clickjacking attacks** where users think they're clicking something harmless but are actually clicking buttons on your site underneath.
X-Content-Type-Options: nosniff Browsers try to guess what type of content a file is even if the server labels it wrong. This guessing can be exploited. Setting `nosniff` tells the browser to trust only the declared MIME type and not try to execute uploaded files that shouldn't be executable.
Referrer-Policy Controls how much information about the page the user is coming from is shared when they click a link. Setting this to `strict-origin-when-cross-origin` prevents leaking URL parameters (which can contain session tokens) to third-party sites.
How to Add Security Headers
The method depends on your hosting:
Vercel — Add a headers() function in your next.config.js file Netlify — Add a _headers file to your public directory Apache — Add rules to your .htaccess file Nginx — Add directives to your server config block Cloudflare — Add as Transform Rules (no code required)
Most managed platforms (Shopify, Squarespace, Wix) set at least some headers automatically. You can check what headers your site currently sends using RoastReady or browser dev tools (Network tab → click your domain → Headers).
Why This Matters Beyond Compliance
Security headers are increasingly scrutinised by: - Enterprise procurement — B2B buyers often run basic security checks before signing contracts - SEO — Google's crawler takes site security into account as a quality signal - Trust signals — Sophisticated customers and anyone who runs a trust scan on your site will see the results