What are Security
Headers?
HTTP security headers provide additional security controls to protect against common web vulnerabilities like clickjacking, MIME type sniffing, and information leakage.
Why they
matter.
Security headers are a fundamental defense against web attacks. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME sniffing attacks. Referrer-Policy controls information leakage. security.txt provides a standard way to report security vulnerabilities. These are required for modern web security.
What can
go wrong.
Missing security headers: your site is vulnerable to clickjacking attacks, MIME type confusion attacks, information leakage through referrer headers, and security researchers cannot easily report vulnerabilities. These are low-hanging fruit for attackers.
Technical
details.
Security headers checked: 1) X-Frame-Options (prevents iframe embedding - should be DENY or SAMEORIGIN), 2) X-Content-Type-Options: nosniff (prevents MIME sniffing), 3) Referrer-Policy (controls referrer information), 4) security.txt file at /.well-known/security.txt or /security.txt (RFC 9116).
Check your domain’s
security headers.
Run a free security check to see how your domain scores across all sixteen checks, including HTTP security headers.