All guides
Medium GDPR Art. 32 ISO 27001 A.8.26 NIST CSF PR.PS

Add the HTTP security headers every site should send

HSTS, Content-Security-Policy, X-Content-Type-Options and X-Frame-Options are cheap, high-impact defences that most sites omit.

Why it matters

These headers close whole classes of attack — protocol downgrade, cross-site scripting, MIME sniffing, and clickjacking — at the browser level. Their absence is the most common finding in an external scan and an easy win for an auditor.

How to fix it

Send HSTS to force HTTPS, a Content-Security-Policy to constrain script sources, X-Content-Type-Options: nosniff, and a frame policy. Roll out CSP in report-only mode first to avoid breaking your own scripts.

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.