How to Check Your Website's Security Headers (And Why Most Sites Fail)
Security headers are HTTP response headers that tell the browser how to behave when loading your site. They're one of the easiest, most impactful things you can add to protect your users — yet most websites are missing at least half of them. If you've never checked yours, you might be surprised at how exposed your site is.
In this guide, we'll explain what security headers are, which ones actually matter, and how to audit your site in under 30 seconds using a free scanner.
What Are Security Headers?
When your browser requests a page, the server responds with HTTP headers before the actual content. Most of these are mundane — content type, cache instructions, cookies. But a subset exists purely for security: they tell the browser what to allow, what to block, and how to handle potentially dangerous situations.
Think of them as instructions your server gives the browser: "Don't load scripts from random domains." "Don't let this page be embedded in an iframe." "Only connect over HTTPS." Without them, your users are at the mercy of whatever default behavior the browser chooses — and those defaults are often permissive.
The 7 Security Headers Every Website Needs
1. Content-Security-Policy (CSP)
The most powerful security header. CSP defines which sources the browser is allowed to load scripts, styles, images, and other resources from. A strong CSP stops cross-site scripting (XSS) attacks dead in their tracks.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';Start with a restrictive policy and loosen it as needed. The report-uri directive lets you collect violations without blocking — useful during rollout.
2. Strict-Transport-Security (HSTS)
Tells the browser to always use HTTPS, even if the user types http://. This prevents SSL-stripping attacks where an attacker intercepts the initial HTTP request before the redirect to HTTPS.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload3. X-Content-Type-Options
Prevents the browser from MIME-sniffing a response away from the declared content type. Without it, an attacker could trick the browser into interpreting an image upload as JavaScript.
X-Content-Type-Options: nosniff4. X-Frame-Options
Prevents your site from being loaded inside an iframe, which stops clickjacking attacks — where a malicious page overlays invisible iframes over buttons to hijack clicks.
X-Frame-Options: DENY5. Referrer-Policy
Controls how much referrer information is sent when navigating away from your site. Without it, sensitive URLs (with tokens, user IDs, or session data) could leak to third-party sites.
Referrer-Policy: strict-origin-when-cross-origin6. Permissions-Policy
Restricts which browser features your site can use — camera, microphone, geolocation, payment, etc. If your site doesn't need these features, disabling them reduces your attack surface.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()7. X-XSS-Protection
A legacy header that activates the browser's built-in XSS filter. Modern browsers have deprecated it in favor of CSP, but it still provides a safety net for older browsers.
X-XSS-Protection: 1; mode=blockHow to Check Your Security Headers Right Now
You could manually inspect headers with browser DevTools or curl -I yoursite.com, but that only shows raw values — it doesn't tell you what's missing, misconfigured, or weak.
A better approach is to use a security scanner that checks all headers, grades your configuration, and explains exactly what to fix. WebSentry does this in under 10 seconds — paste your URL, hit scan, and get a detailed breakdown of all 7 headers plus SSL, cookies, DNS authentication, and more.
What a Good Security Headers Report Looks Like
A site with properly configured headers will score in the A range (80–100 out of 100). Here's what you should see:
- CSP present and restrictive — not just
default-src * - HSTS with long max-age — at least 1 year (31536000 seconds)
- X-Content-Type-Options: nosniff — exactly this value, nothing else
- X-Frame-Options: DENY or SAMEORIGIN — depending on whether you need iframes
- Referrer-Policy set — anything other than
unsafe-url - Permissions-Policy disabling unused features
- No server version leakage — Server header shouldn't reveal Apache/2.4.51 or nginx/1.20
Common Mistakes That Tank Your Score
Even sites that have some headers in place often make these mistakes:
- Overly permissive CSP: Using
script-src 'unsafe-inline' 'unsafe-eval'defeats the purpose entirely - Short HSTS max-age: Setting it to a few minutes provides no real protection
- Missing on subdomains: Adding headers to
wwwbut not the API subdomain - Relying only on X-Frame-Options: Modern browsers prefer CSP's
frame-ancestorsdirective - Leaking server info: Exposing
X-Powered-By: ExpressorServer: Apache/2.4.51
How to Add Security Headers to Your Site
Where you add headers depends on your stack:
Cloudflare (recommended)
If your site is behind Cloudflare, add headers via a Worker or Transform Rule — no code changes needed:
// Cloudflare Worker
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request));
});
async function handleRequest(request) {
const response = await fetch(request);
const newResponse = new Response(response.body, response);
newResponse.headers.set('X-Content-Type-Options', 'nosniff');
newResponse.headers.set('X-Frame-Options', 'DENY');
newResponse.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
newResponse.headers.set('Permissions-Policy', 'camera=(), microphone=()');
newResponse.headers.set('Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload');
return newResponse;
}Nginx
# Add to your server block
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Express.js / Node
const helmet = require('helmet');
app.use(helmet()); // Sets all major security headers automaticallyTest After Every Change
After adding headers, rescan your site to verify everything is working. Headers can be overridden by CDNs, load balancers, or application frameworks — what you set in config isn't always what reaches the browser.
With a tool like WebSentry, you can rescan instantly and see your score improve in real time. If you set up monitoring on the Pro plan, you'll also get alerts if a deployment accidentally removes a header.
Bottom Line
Security headers are low-effort, high-impact. They cost nothing to add, take 10 minutes to configure, and protect your users from entire classes of attacks. If you haven't checked yours yet, run a free scan now and see where you stand.