Security Headers Explained: Quiet, Powerful Protection
Security headers are small settings that quietly defend your site against a whole class of attacks.
Some of the most effective website security measures are also the most invisible. Security headers are a perfect example — a handful of instructions your server sends to every visitor's browser, telling it how to behave more safely.
They cost nothing, slow nothing down, and protect against several common attacks. Yet a great many sites do not use them at all. Here is what they do and why they are worth setting up.
What security headers are
When a browser loads your site, your server can send along extra instructions known as headers. Security headers are a specific set of these that tell the browser to enforce safer behaviour — for example, only connecting over a secure connection, or refusing to load content from untrusted sources.
Because the browser does the enforcing, these headers work on the visitor's side. They are a way of hardening how your site is handled, closing off avenues that attackers might otherwise exploit.
What they protect against
Different headers tackle different threats. One can force every connection to use HTTPS, preventing visitors being downgraded to an insecure link. Another can stop other sites from embedding yours in a hidden frame to trick your users, a trick known as clickjacking.
Content security policies can limit where scripts and resources are allowed to load from, which is a strong defence against the kind of injected code used in cross-site scripting attacks. Together, these headers close common gaps that automated attacks routinely probe for.
Adding them safely
Security headers are added at the server level and apply across your whole site. Most are simple to switch on, but some — particularly content security policies — need careful tuning, because too strict a setting can accidentally block your own legitimate scripts and styles.
Free online tools can scan your site and grade your headers, which makes it easy to see what is missing. Setting them up properly is a quick, high-value job for a developer, and it is the kind of quiet hardening that a good care plan includes as a matter of course.
Common questions.
Do security headers slow my site down?
Can I check my own security headers?
Do security headers need to be set up differently depending on what platform the site is built on?
Turn this into action.
The services behind this guide.
More on website care & tech.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.