Website Security Headers Checklist: The Complete 2025 Guide

HTTP security headers are one of the most cost-effective investments you can make in your website's security posture. They are a single line of server configuration that can neutralise entire classes of attack — yet surveys consistently show that fewer than 30% of websites have them correctly configured.

This checklist covers every security header that matters in 2025, explains what each one does, shows you how to implement it, and tells you exactly how it affects your Website Intelligence Score™ on SiteReveal.

Why Security Headers Matter More Than Ever

Modern browsers are powerful allies in the fight against web attacks — but only if you tell them what to do. Security headers are the mechanism by which your server instructs the browser to enforce specific protective behaviours: refuse to load scripts from untrusted origins, never send cookies over HTTP, prevent your pages from being embedded in iframes on malicious sites.

The cost of implementing these headers is measured in minutes. The cost of not having them can be measured in breached user accounts, regulatory fines, and lost customer trust.

The Essential Security Headers Checklist

✅ 1. HTTPS / TLS 1.2 or Higher

What it does: Encrypts all traffic between the browser and your server, preventing eavesdropping and man-in-the-middle attacks.

How to check: Your site URL should begin with https://. In Chrome DevTools → Security, you should see "Connection is secure" with TLS 1.2 or TLS 1.3.

Implementation (Nginx):

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

WIS score impact: HTTPS is a prerequisite. Sites without it receive a Security score of 0 regardless of other headers.

Common mistake: Serving mixed content — loading HTTP resources (images, scripts) on an HTTPS page. This triggers browser warnings and partially negates your HTTPS protection.

✅ 2. HTTP Strict Transport Security (HSTS)

What it does: Tells browsers to always use HTTPS for your domain, even if a user types http:// or clicks an HTTP link. Prevents SSL-stripping attacks.

Recommended configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Implementation (Apache):

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Implementation (Nginx):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

WIS score impact: Missing HSTS deducts 15 points from the Security dimension. A max-age under 180 days (15,552,000 seconds) deducts 8 points.

Common mistake: Setting max-age too low (e.g., 300 seconds) because you are testing. Once you are confident your site is HTTPS-only, set it to at least one year (31,536,000 seconds).

✅ 3. Content Security Policy (CSP)

What it does: Defines which sources of scripts, styles, images, fonts, and other resources are legitimate for your page. The browser refuses to load anything from an unlisted source, neutralising most cross-site scripting (XSS) attacks.

Minimal effective CSP:

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Implementation tip: Start with report-only mode to identify what would be blocked before enforcing:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

WIS score impact: Missing CSP deducts 20 points from the Security dimension — the largest single deduction of any header. A weak CSP (e.g., default-src *) deducts 10 points.*

Common mistake: Using unsafe-inline for scripts. This allows inline <script> tags, which is exactly what XSS attackers inject. Use nonces or hashes instead.

✅ 4. X-Frame-Options

What it does: Prevents your pages from being embedded in <iframe> elements on other domains, blocking clickjacking attacks.

Recommended value:

X-Frame-Options: DENY

X-Frame-Options: DENY

Or, if you need to allow embedding from the same origin:

X-Frame-Options: SAMEORIGIN

X-Frame-Options: SAMEORIGIN

Note: The modern equivalent is the CSP frame-ancestors directive. If your CSP already includes frame-ancestors 'none', you do not need X-Frame-Options separately — but having both provides defence in depth for older browsers.

WIS score impact: Missing both X-Frame-Options and frame-ancestors deducts 10 points from the Security dimension.

✅ 5. X-Content-Type-Options

What it does: Prevents browsers from "MIME-sniffing" — guessing the content type of a response and treating it differently from what the server declared. This stops attacks where a malicious file is uploaded as an image but executed as JavaScript.

Implementation:

X-Content-Type-Options: nosniff

X-Content-Type-Options: nosniff

This header has only one valid value: nosniff. It is one of the simplest headers to add and has zero compatibility risk.

✅ 6. Referrer-Policy

What it does: Controls how much referrer information is included in requests when a user navigates from your site to another. Without this header, the full URL (including query parameters that may contain sensitive data) is sent to third-party sites.

Recommended value:

Referrer-Policy: strict-origin-when-cross-origin

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL for same-origin requests (useful for analytics) but only the origin (e.g., https://yoursite.com) for cross-origin requests.

✅ 7. Permissions-Policy

What it does: Controls which browser features and APIs your site can use — and prevents embedded third-party content from accessing them. Formerly known as Feature-Policy.

Example configuration (restricting unnecessary features):

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

This tells the browser that your site does not need access to the camera, microphone, geolocation, or payment APIs — and that no embedded content should be granted access either.

✅ 8. Cookie Security Flags

What it does: Ensures session and authentication cookies cannot be stolen via XSS or sent over insecure connections.

Required flags:

• Secure — cookie is only sent over HTTPS
• HttpOnly — JavaScript cannot read the cookie value
• SameSite=Strict or SameSite=Lax — prevents cross-site request forgery (CSRF)

Example:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

WIS score impact: Cookies without Secure and HttpOnly flags deduct 10 points from the Security dimension.

Quick Reference Table

Platform-Specific Implementation Guides

Cloudflare

Cloudflare's Transform Rules allow you to add security headers without touching your server. Navigate to Rules → Transform Rules → Modify Response Header and add each header as a "Set" action.

Vercel

Add a vercel.json file to your project root:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains; preload" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
      ]
    }
  ]
}

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains; preload" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
      ]
    }
  ]
}

Next.js

In next.config.js:

const securityHeaders = [
  { key: 'X-Frame-Options', value: 'DENY' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
];

module.exports = {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }];
  },
};

const securityHeaders = [
  { key: 'X-Frame-Options', value: 'DENY' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
];

module.exports = {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }];
  },
};

How to Verify Your Headers

After implementing, verify your headers using any of these methods:

1. SiteReveal scan — run a free scan to see your Security dimension score and which headers are detected
2. Browser DevTools — open Network tab, click your page request, and inspect the Response Headers
3. curl — curl -I https://yoursite.com prints all response headers
4. securityheaders.com — a dedicated header grading tool

A perfect security header implementation should bring your Security dimension score to 90+ and your overall WIS into the Advanced or Best-in-Class band.