DomainSecurityScanner
Medium SeveritySecurity Headers

Fix: Missing Security Headers

Your web server is missing one or more important security headers that instruct browsers to enable built-in security features against common web attacks.

Quick Fix

Add essential security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) to your web server.

What This Error Means

HTTP security headers are instructions sent by your server to the browser. Without them, browsers use default behaviors that may be less secure. Key missing headers typically include X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Why It Matters

Security headers protect against clickjacking (X-Frame-Options), MIME-type sniffing attacks (X-Content-Type-Options), information leakage (Referrer-Policy), and unauthorized browser features (Permissions-Policy). They are low-effort, high-impact.

Step-by-Step Fix

1

Check your current headers

See which security headers your server currently sends.

Example
curl -sI https://yourdomain.com | grep -iE "(x-frame|x-content-type|referrer-policy|permissions-policy)"
2

Add headers in Nginx

Add all recommended security headers.

Example
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
3

Add headers in Apache

Add all recommended security headers.

Example
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
4

Test functionality

After adding headers, test your site thoroughly. Pay attention to embedded content, file downloads, and third-party integrations.

5

Verify headers are present

Confirm all headers are being sent.

Example
curl -sI https://yourdomain.com

Common Gotchas

  • X-Frame-Options "DENY" prevents embedding in any iframe, including your own. Use "SAMEORIGIN" if you embed your own content.
  • Permissions-Policy can disable browser features your site uses (e.g., camera for video chat). Do not disable features you need.
  • If behind a CDN, you may need to configure headers at the CDN level or use CDN-specific header rules.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Which security headers are most important?

In order: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.

Can security headers break my website?

Yes, if misconfigured. Content-Security-Policy can block scripts/styles/images, and X-Frame-Options can prevent legitimate embedding. Test thoroughly.

Do I need X-XSS-Protection?

It is deprecated and unnecessary if you have Content-Security-Policy. Modern browsers have removed their XSS auditors. CSP is the proper replacement.

Related Issues

No HSTSNo CSPWeak Cipher SuitesAll Fix Guides →