HTTP security headers
These are hidden instructions in the server response that tell the browser how to protect itself. For example: "don't display this site insi…
Analyse my site for freeUnderstanding "HTTP security headers"
HTTP security headers are directives your server includes in every response to tell the browser how to behave. They don't encrypt data, but define protection rules against specific attack categories: code injection, MIME type sniffing, data leaks to third parties, unauthorised iframe embedding. In a few lines of server configuration, they significantly strengthen a site's security posture.
The most important headers are: Content-Security-Policy (whitelist of allowed resources), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls data sent in the Referer header), and Permissions-Policy (disables unused browser APIs). Missing these headers doesn't prevent the site from working, but exposes visitors to avoidable risks.
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=()
(no security headers)
→ MIME sniffing enabled
→ iframes unrestricted
→ sensitive APIs accessible
How TheSiteFuse checks "HTTP security headers"
TheSiteFuse retrieves the response headers from the homepage and checks for a list of key security headers. Each missing header generates a warning or error based on its importance. The check also validates values: for example, X-Content-Type-Options: nosniff is the only valid value, and a different value is treated as absent.
Why "HTTP security headers" matters
Missing security headers expose your site to classic attacks:
- Without X-Content-Type-Options — the browser may interpret an image or text file as JavaScript if the bytes resemble code (MIME sniffing). User-uploaded files could execute malicious code.
- Without Referrer-Policy — the full URL of your pages (including search parameters or tokens) is sent to third-party servers loading resources.
- Without Permissions-Policy — third-party ad or analytics scripts can request access to your visitors' camera, microphone or geolocation.
- Without Content-Security-Policy — your site is vulnerable to XSS attacks if user content is displayed.
Fix "HTTP security headers" step by step
Apache
Enable mod_headers first (sudo a2enmod headers), then add to your HTTPS VirtualHost:
Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Header always set X-Frame-Options "SAMEORIGIN"
Nginx
add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; add_header X-Frame-Options "SAMEORIGIN" always;
Verify after adding
curl -I https://yoursite.com | grep -iE "x-content|referrer|permissions|x-frame"
Reference resource
To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.
Wikipedia — HTTP security headersDoes your site pass this check?
Run the free full audit (120 checks) and instantly discover what needs fixing.