What Are Security Headers? A Plain-English Explanation
If someone told you your shop’s front door had no lock, you would fix it immediately. Security headers are the locks on your website’s front door — and most small business websites do not have them.
What are security headers?
Every time someone visits your website, your web server sends back the page they asked for. But it also sends back some invisible instructions called “headers.” These headers tell the visitor’s browser how to behave when displaying your site.
Security headers are a specific set of these instructions that say things like: “Do not let other websites embed my content in a frame,” “Only load scripts from trusted sources,” and “Always use an encrypted connection.”
You cannot see them by looking at a website. They work silently in the background. But they are one of the most important things protecting your visitors from hackers.
What happens without them?
Without security headers, your website is vulnerable to several types of attacks. Here are the main ones, in normal terms:
Clickjacking. Someone puts your website inside an invisible frame on their dodgy website. Your visitor thinks they are clicking a button on their site, but they are actually clicking something on yours — like a “Buy” button or a “Transfer funds” button. The X-Frame-Options header prevents this.
Cross-site scripting. A hacker injects malicious code into your website that runs in your visitors’ browsers. This can steal login details, redirect people to scam sites, or install malware. The Content-Security-Policy header helps prevent this.
Protocol downgrade. Someone forces your visitor’s connection from HTTPS (encrypted) down to HTTP (not encrypted), allowing them to intercept data. The Strict-Transport-Security header prevents this.
How many security headers should I have?
There are seven that matter most for small business websites. You do not need to memorise them — what matters is that your website has them. The seven are: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-XSS-Protection, Referrer-Policy, and Permissions-Policy.
Most small business websites have zero out of seven. That is not an exaggeration — our scanner regularly finds websites with no security headers at all.
Can I add them myself?
This depends on your setup. If you have access to your web hosting, you can usually add them by editing a file called .htaccess (for Apache servers) or your server configuration. If you are on WordPress, there are plugins that add them with a few clicks.
If that sounds too technical, your web developer or hosting company can do it. It typically takes 15 minutes. The important thing is knowing they need to be there.
How do I check mine?
You cannot see security headers by looking at your website normally. You need a tool that checks what your server is sending behind the scenes.
LaunchKitty’s free scan checks all seven security headers and tells you which ones are missing. It takes 30 seconds and you do not need any technical knowledge to understand the results.