Security Headers Every Website Needs

Why Security Headers Matter for SEO

Security headers don't directly affect rankings, but they build trust signals and prevent attacks that could damage your reputation. Google has confirmed HTTPS as a ranking factor, and browsers now warn users about insecure sites.

Essential Security Headers

1. Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS. Prevents SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2. Content-Security-Policy (CSP)

Controls which resources can load on your page. Prevents XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

3. X-Frame-Options

Prevents your site from being embedded in iframes (clickjacking protection).

X-Frame-Options: DENY

4. X-Content-Type-Options

Prevents MIME type sniffing attacks.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much referrer information is sent with requests.

Referrer-Policy: strict-origin-when-cross-origin

How to Add Headers

**Nginx:**

add_header Strict-Transport-Security "max-age=31536000" always;

add_header X-Frame-Options "DENY" always;

add_header X-Content-Type-Options "nosniff" always;

**Next.js (next.config.js):**

async headers() {

  return [{ source: '/(.*)', headers: [

    { key: 'X-Frame-Options', value: 'DENY' },

    { key: 'X-Content-Type-Options', value: 'nosniff' },

  ]}];

}

**Vercel (vercel.json):**

{ "headers": [{ "source": "/(.*)", "headers": [

  { "key": "X-Frame-Options", "value": "DENY" }

]}]}

Check your security headers with [SEO Snapshot](/) — we grade your security from A+ to F and show exactly which headers are missing.