The Security Issues section of your scan report includes findings about HTTP security headers. These are invisible instructions that your website sends to every visitor's browser, telling it how to behave securely. They're one of the most effective and least understood defences a website can have.
Security headers account for roughly 30% of your overall security score, reflecting how important they are to your website's protection.
What Are Security Headers?
When your browser loads a web page, the server sends back the page content along with a set of "headers" — metadata that the browser reads before displaying the page. Security headers are a specific subset of these that tell the browser to enable certain protections.
Think of them as rules your website sets for the browser: "don't load scripts from untrusted sources", "don't let other sites embed me in a frame", "always use an encrypted connection."
The Six Headers We Check
Strict-Transport-Security (HSTS)
What it does: Tells the browser to always use HTTPS when connecting to your site, even if someone types http:// or clicks an old HTTP link.
Why it matters: Without HSTS, a visitor's first connection might be over unencrypted HTTP before being redirected to HTTPS. An attacker on the same network could intercept that brief unencrypted moment.
Content-Security-Policy (CSP)
What it does: Controls exactly which sources the browser is allowed to load scripts, styles, images, and other resources from.
Why it matters: This is one of the most powerful defences against cross-site scripting (XSS) attacks. Without CSP, a vulnerability in your site could allow an attacker to inject malicious scripts that steal visitor data.
X-Frame-Options
What it does: Prevents other websites from embedding your site inside a frame or iframe.
Why it matters: Without this header, an attacker could create a page that loads your site invisibly behind their own content, tricking visitors into clicking buttons on your site without realising it. This is called a clickjacking attack.
X-Content-Type-Options
What it does: Prevents the browser from "guessing" the type of a file if the server doesn't specify it correctly.
Why it matters: Without this header, a browser might interpret an uploaded file (say, an image) as executable JavaScript if an attacker crafts it carefully. Setting this header to "nosniff" eliminates that risk.
Referrer-Policy
What it does: Controls how much information about the current page is sent to the next site when a visitor clicks a link.
Why it matters: By default, browsers send the full URL of the page a visitor is leaving. If your URLs contain sensitive information (session IDs, search queries, user-specific paths), this leaks to every external site your visitors navigate to.
Permissions-Policy
What it does: Controls which browser features your website is allowed to use — camera, microphone, geolocation, payment APIs, and more.
Why it matters: If your site is compromised, an attacker could use browser features to access a visitor's camera or location. Setting a Permissions-Policy means even compromised code can't access features you've explicitly disallowed.
What to Look For in Your Report
Your report shows which headers are present and which are missing. Each missing header is flagged as a security issue with a severity level:
- Multiple missing headers — Common on smaller sites and shared hosting. This is the most frequent cause of a lower security score.
- All headers present — Your site or hosting provider has configured these correctly. Well done.
Can You Fix This?
It depends on your hosting platform:
- Self-hosted / VPS — You have full control. Headers can be set in your web server config (Nginx, Apache) or application code.
- WordPress (self-hosted) — Plugins like "Headers Security Advanced & HSTS WP" can set these without touching server config.
- Managed platforms (Squarespace, Wix, Google Sites) — These platforms control the server configuration and may not allow you to set custom headers. In this case, placing a CDN like Cloudflare in front of your site can add the headers for you.
We're building platform-specific fix guides — check the Fixing Issues section for the latest.