Harden your website security with HTTP security headers

HTTP security headers guide

HTTP security headers provide an extra layer of security for your computer by helping to limit cyberattacks and through mitigating security vulnerabilities. By keeping up with HTTP security headers best practices, your website or website application will be more secure. The good news is that implementing these headers is easy, and they only require a small change to the configuration of the web server.

The even better news is that our Hexometer can now check your HTTP security headers and alert you when things need to be fixed. This means you can spend more time on your business and less time worrying about serving pages securely on your website #peaceofmind.

What are HTTP security headers?

When a browser requests a page from a web server, the server responds by providing both the requested content and HTTP response headers, some of which contain metadata such as Content-Encoding, Cache-Control, status codes, and few others. The server also provides HTTP security headers – these tell your browser how to behave when they are handling your content.

In this list, we have curated eight different security headers that should be implemented wherever possible. They are in no particular order.


Cross Site Scripting attacks can be prevented with this header. This particular type of attack accounts for 84% of all security vulnerabilities on webpages, but very few of these pages are actually protected by this header. In addition, you can also be protected from other code injection attacks. It works by defining content sources which are approved and allowing the browser to load them.

All major browsers now offer full or partial support for Content Security Policy. If the content is sent to an older browser, it will not be executed.

There are many different directives which can be used with this Policy, making it customisable for your website’s needs.


Browser features can be enabled or denied with this header, regardless of whether the feature is in its own frame or it is content within an inline frame element.


This header enables the cross-site scripting (XSS) filter that is found in modern web browsers. It is usually enabled but using this header will enforce its functionality. Internet Explorer, Chrome, and Safari are three browsers that support it.


This security enhancement restricts web browsers so they can only access web servers over HTTPS. Enabling this boosts security as it means insecure HTTP connections cannot be established, which could be vulnerable to online attacks.

All modern browsers support it, except for older versions of Internet Explorer and Opera Mini.


X-Frame-Options is a header that provides clickjacking protection by preventing iframes from loading on your website. It is supported by Internet Explorer, Chrome, Safari, Firefox, and Opera.


This header stops Chrome and Internet Explorer from taking a response away from the declared content-type. Preventing this reduces the danger of drive-by downloads, and it helps treat the content the right way.


The Referrer-Policy is a security header which should be included on communication from your website’s server to your client. This means that the web browser knows how to handle referrer information that is sent to websites when a user clicks a link that leads to another page or another website entirely.

You can configure this Policy to give no information to the destination site, partial information or all information in a full URL path. Defining a policy is considered good practice, so consider implementing one.


This handy feature prevents mis issued certificates from being used. It works by permitting websites to report and optionally enforce Certificate Transparency requirements. When it is enabled, the website requests the browser to check if the certificate appears in CT logs.

How to check your HTTP security headers

You can check your HTTP security headers using Chrome DevTools or the Firefox dev tools; refresh the page with the Network Panel Press, click into the domain request and there will be a section for your response headers. But the easiest way is to use Hexometer’s AI assisted website monitoring which checks over 2800 data points 24/7 to ensure optimal website health and performance.

For the ultimate peace of mind be sure to sign up for our free trial which takes minutes to setup at www.hexometer.com

Scroll to Top