What are security headers?

Security headers are HTTP response headers that tell browsers how to handle your content. They protect against clickjacking, MIME sniffing, referrer leaks, and unauthorized feature access.

Which security headers should every site have?

At minimum: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Cross-Origin-Opener-Policy, and Permissions-Policy. Content-Security-Policy is also important but more complex to configure.

Can security headers break my site?

Most security headers are safe to add. X-Frame-Options: DENY will break your site if you use iframes for embeds or previews. Permissions-Policy can block features your site legitimately uses. Test in staging first.

← Blog

How to Fix Missing Security Headers

security Mar 3, 2026 2 min read

What the security headers check tests

SiteCurl checks for six security headers in your server response: Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Cross-Origin-Opener-Policy (COOP), and Permissions-Policy. Each missing or misconfigured header is flagged separately.

For CSP, SiteCurl also checks for weaknesses like unsafe-inline and unsafe-eval in the script-src directive.

Why it matters

Without security headers, browsers use permissive defaults that leave your visitors exposed:

No X-Frame-Options: Your pages can be embedded in hidden frames for clickjacking attacks
No X-Content-Type-Options: Browsers may guess file types and execute uploaded files as scripts
No Referrer-Policy: Full page URLs (including private paths) are shared with external sites
No COOP: Malicious sites can interact with your pages through popup windows
No Permissions-Policy: Embedded third-party content can access camera, microphone, and location

How to fix it

Add all five headers to your server setup. For detailed CSP guidance, see our Content-Security-Policy article.

Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Apache

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

CDN or hosting panel

Most CDNs (Cloudflare, Vercel, Netlify) let you add custom headers in the dashboard or a config file. Check your provider’s documentation.

How to verify the fix

Run a SiteCurl scan and check the security section. Each header should show as passed. You can also check manually:

curl -sI https://yoursite.com | grep -iE "x-frame|x-content|referrer|opener|permissions"

Security headers work alongside your Content-Security-Policy and HTTPS/HSTS setup. All three layers together form a complete browser security policy.

Start a free trial to audit all security headers on your site.

More on security

How to Secure Cookies with HttpOnly, Secure, and SameSite

security Feb 12, 2026

How to Fix Mixed Content Warnings on HTTPS Sites

security Feb 11, 2026

How to Add a Content Security Policy Header

security Feb 10, 2026

Check your site for security gaps

Scan for HTTPS issues, missing headers, mixed content, and more.

Start 7-Day Studio Trial

No credit card required.

← Back to blog