Skip to content
Tanner
Preserve
All guides
Security and trust

Three security headers most sites never set

6 min readUpdated July 1, 2026
01

What a security header is, in plain English

A security header is a single line your website sends to a visitor's browser before the page shows up. It's an instruction: use the encrypted connection, don't guess at file types, don't let other sites frame this page. The browser enforces the rule, your visitor never sees a thing, and a class of attacks stops working.

Most small business sites send none of them, because nobody ever flipped the switch. Audit tools flag it because the fix takes minutes, and a missing header is visible to anyone who scans your domain, including the people reviewing your cyber insurance application.

02

See your grade first (2 minutes)

Go to securityheaders.com, type your domain, tick Hide results if you don't want your scan in the site's public feed, and click Scan. Free, no signup. You get a letter grade from A+ down to F, with a red box for every missing header.

Note your grade. You'll rescan at the end, and the grade moving is how you know the change took. Also check which headers already show green: some hosts set one or two for you.

03

The three headers and their exact values

These three have the best ratio of protection to effort. Each is one line, none require changes to your pages, and the values copy over exactly:

  • Strict-Transport-Security: max-age=31536000 (tells every returning browser to use the encrypted https connection for the next year, measured in seconds, even if someone types plain http; it shuts down connection downgrade tricks on public wifi)
  • X-Content-Type-Options: nosniff (stops browsers from guessing what a file is; without it, a browser can decide a harmless-looking upload is actually a script and run it)
  • X-Frame-Options: SAMEORIGIN (stops other websites from loading your pages inside an invisible frame, a trick used to overlay fake buttons on your real ones so people click things they can't see)
Field note

You'll see advice online to add "preload" to the Strict-Transport-Security line. Skip it. Preload puts your domain on a list baked into browsers themselves, and getting off that list can take months if a subdomain breaks. Plain max-age gives you the protection without the commitment.

04

If your domain runs through Cloudflare

If you log into dash.cloudflare.com to change DNS records, this is your easiest path, and it works no matter who hosts the site. Everything here is on the free plan.

First header: click your domain, then SSL/TLS > Edge Certificates. Scroll to HTTP Strict Transport Security (HSTS), click Enable, and read the warning. Set Max Age Header to 12 months. Leave Include subdomains and Preload off unless you're certain every subdomain you own loads over https.

The other two: go to Rules > Transform Rules > Modify Response Header and click Create rule. Name it "security headers", apply it to all incoming requests, then choose Set static with header name X-Content-Type-Options and value nosniff. Add a second header in the same rule, X-Frame-Options with value SAMEORIGIN, and deploy.

05

If your site is WordPress or regular hosting

On most shared hosting (Bluehost, HostGator, and similar), headers go in a file called .htaccess. Log into your hosting control panel, open File Manager, and go to public_html. If you don't see .htaccess, turn on Show hidden files in the File Manager settings. Download a copy first so you can put it back if anything goes sideways. Then edit it and paste this at the very bottom:

<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" </IfModule>

Save, then load your site in a fresh tab. If it loads normally, you're done. If you get a server error page, your host isn't running Apache: delete what you pasted, save again, and open a support ticket instead. Paste the three header lines and ask them to add these response headers to your site. Any competent host handles this without drama.

If you'd rather stay inside WordPress, the free Redirection plugin can do it: install and activate it, go to Tools > Redirection > Site, scroll to HTTP Headers, and add the three headers with the values from this guide.

06

Site builders, and proving it worked

Wix, Squarespace, and GoDaddy's website builder don't give you a place to set custom response headers. They control the server and have made some of these choices for you. Run the scan anyway: builder sites usually come back with at least one of the three green already. You just can't add the missing ones from the builder's dashboard.

Your one real lever on a builder is pointing your DNS at Cloudflare's free plan and setting the headers there, per the section above. That's a bigger job (about an hour, plus a nameserver change at your registrar), so weigh it against how the rest of your scan looks.

Whichever path you took, rescan at securityheaders.com. The three headers should show green and the grade should move, usually from an F or D up to a B. Then open your site in a private window and click through the contact form, any embedded map or booking widget, and the photo gallery. Headers take effect immediately, so if everything works now, it'll keep working.

Common questions

Questions that come up

Will these three headers break anything on my site?

Almost never. Strict-Transport-Security and nosniff are safe on any site that already loads with the padlock. The one to watch is X-Frame-Options: if another site legitimately embeds your pages inside a frame (some directories do this), SAMEORIGIN blocks that. Embeds on your own site, like Google Maps or a booking widget, aren't affected. The header controls who can frame you, not what you can frame.

The scanner lists more headers, like Content-Security-Policy. Should I add those too?

Referrer-Policy and Permissions-Policy are reasonable follow-ups. Content-Security-Policy is the big one and the fussy one: written wrong, it blanks your own site. Treat it as its own project with careful testing, not a copy-paste job.

I'm on Wix or Squarespace and can't add the missing ones. Is my site unsafe?

Not in the burning-building sense. These headers close off specific tricks, and the builders run their own protections behind the scenes. The gap shows up mostly in how your site looks to anyone who scans it: an audit, a cyber insurance review, or a security-minded commercial customer. If those matter, the Cloudflare route gets you the rest of the way.

Do security headers help my Google ranking?

Not directly. Google has never listed them as a ranking signal. Https itself matters to Google, and Strict-Transport-Security enforces https, so there's a loose connection, but add these for security, not rank.

Or skip the homework

Rather I just did this?

Fair. The audit shows where your site actually stands in about a minute, then you decide. No email required, no pressure, just the truth.