Articles on: Web Hosting

How to improve the security of your site with HTTP headers?

Website security is a critical concern. An effective way to strengthen your website's security is to use specific HTTP headers. These headers help protect against various attacks by informing the browser on how to handle certain requests. Here is an overview of the most important headers and how to implement them.

It is important to check with your developer before implementing these headers as each site has specific requirements.

List of headers

Strict-Transport-Security (HSTS)

This header forces the browser to use only secure HTTPS connections.

Implementation example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Content-Type-Options

This header prevents browsers from incorrectly interpreting file types, thereby reducing the risk of MIME sniffing attacks.

Implementation example:

X-Content-Type-Options: nosniff

Content-Security-Policy (CSP)

This header helps prevent XSS (Cross-Site Scripting) attacks by controlling the content sources that can be loaded by the browser.

Implementation example:

Content-Security-Policy: default-src 'self'; img-src *; child-src 'none';

Referrer-Policy

This header controls the referrer information sent with HTTP requests, thereby protecting user privacy.

Implementation example:

Referrer-Policy: no-referrer-when-downgrade

X-Frame-Options

This header prevents clickjacking attacks by preventing your site from being loaded in a frame.

Implementation example:

X-Frame-Options: SAMEORIGIN

Permissions-Policy

This header allows you to control which browser features your site can use, such as geolocation, camera, or microphone.

Implementation example:

Permissions-Policy: geolocation=(), microphone=(), camera=()

How to implement these headers?

You can use the following plugins to help you implement these headers:

WordPress: Headers Security Advanced & HSTS WP
Drupal: Security Kit
Prestashop: Security Pro - All In One

You can also add directives to your .htaccess file, for example:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header set X-Content-Type-Options "nosniff"

Header set Content-Security-Policy "default-src 'self'; img-src *; child-src 'none';"

Header set Referrer-Policy "no-referrer-when-downgrade"

Header set X-Frame-Options "SAMEORIGIN"

Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"

How to check the security level of my site?

The website Security Headers offers an analysis of your site's security level.

Updated on: 14/02/2026

Was this article helpful?

Thank you!