Website Security Headers Explained (and How to Add Them)

Security headers are one of the highest-impact, lowest-effort improvements you can make to a website. They’re instructions your server sends with every page telling the browser how to behave safely — and adding them is usually a config change, not a rebuild. Here’s what each one does, in plain English. (To see which your site is missing right now, run our free Website Security Check.)

HSTS (Strict-Transport-Security)

Forces browsers to always use HTTPS for your site, preventing downgrade attacks where a user is silently served an insecure connection. Add it once you’re confident HTTPS works everywhere, with a long max-age.

Content-Security-Policy (CSP)

Your strongest defence against cross-site scripting (XSS). A CSP controls which scripts, styles, and resources are allowed to load — so an injected script simply won’t run. It’s the most powerful header and the most involved to tune; start with a sensible policy and tighten over time.

X-Frame-Options

Stops your site being loaded inside an invisible iframe on a malicious page (clickjacking), where users are tricked into clicking things they can’t see. DENY is the safe default; a CSP frame-ancestors rule does the same job.

X-Content-Type-Options

Set to nosniff, it stops browsers from second-guessing file types and executing something they shouldn’t — a one-line fix that closes a real gap.

Referrer-Policy & Permissions-Policy

Referrer-Policy controls how much URL information leaks to other sites when users click away (e.g. strict-origin-when-cross-origin). Permissions-Policy restricts which browser features (camera, microphone, geolocation) your pages can use — lock down what you don’t need.

How to add them

Headers are set at the server or platform level — your web server config (Nginx/Apache), a CDN like Cloudflare, or your host’s settings (on Vercel/Netlify, a simple config file). You don’t touch page code. Add them, then re-run a checker to confirm. If you’d rather we handle it — or the deeper question is how your app stores customer data — that’s the kind of thing we build in by default. Our guide to the website security basics for SG SMEs covers the wider checklist.