Fixing your Website Security Settings

Security headers, explained

Security headers are settings your web server sends with each response, telling the visitor's browser how to behave. The scan found headers missing from your site. The OWASP Secure Headers Project defines the baseline set every production site should send. The most important is Content Security Policy (CSP), which controls what scripts and resources are allowed to load and is the strongest defense against cross-site scripting (XSS). HTTP Strict Transport Security (HSTS) forces browsers to use HTTPS, and CSP's frame-ancestors directive blocks clickjacking - note that this now supersedes the older X-Frame-Options header.

What missing headers expose

These headers quietly protect the people visiting your site. Without CSP, an injected script can run in your visitors' browsers; without HSTS, a connection can be downgraded to unencrypted HTTP; without clickjacking protection, your pages can be loaded invisibly inside a malicious site. OWASP lists each of these as a standard, expected control.

How to fix it

1. Add a Content Security Policy. Start in report-only mode to find what your site legitimately loads, then enforce it. See the OWASP HTTP Headers Cheat Sheet for a working baseline.
2. Add HSTS. Force every connection to HTTPS.
3. Add the supporting headers. X-Content-Type-Options: nosniff and a Referrer-Policy round out the OWASP baseline.

These are configured on your web server, host, or CDN, so share your report with whoever maintains your site.

How to confirm it's fixed

Re-run your Cyber Score, or check the site with a free header scanner such as the Mozilla Observatory. The missing headers should now show as present. Share your report with your web host or developer and have them apply the missing headers this week.

Sources

• OWASP Secure Headers Project
• OWASP HTTP Headers Cheat Sheet
• MDN - Content Security Policy‍