Add the HTTP security headers every site should send
HSTS, Content-Security-Policy, X-Content-Type-Options and X-Frame-Options are cheap, high-impact defences that most sites omit.
Why it matters
These headers close whole classes of attack — protocol downgrade, cross-site scripting, MIME sniffing, and clickjacking — at the browser level. Their absence is the most common finding in an external scan and an easy win for an auditor.
How to fix it
Send HSTS to force HTTPS, a Content-Security-Policy to constrain script sources, X-Content-Type-Options: nosniff, and a frame policy. Roll out CSP in report-only mode first to avoid breaking your own scripts.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
- Disable directory listing
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.