Home / Guides / HTTP Security Headers Fixing Guide

Complete HTTP Security Headers Fixing Guide

Last updated: 9/4/2025

Introduction to Security Headers

HTTP security headers provide crucial protection against common web vulnerabilities like cross-site scripting (XSS), clickjacking, and MIME-type sniffing. This comprehensive guide will walk you through implementing and troubleshooting security headers for optimal protection.

Server-Specific Configuration

Below you'll find complete configuration examples for different server environments. Choose the one matching your setup:

Apache Configuration

# Add to your .htaccess file or Apache config
<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-Content-Type-Options "nosniff"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header set Permissions-Policy "geolocation=(self), microphone=()"
</IfModule>

Nginx Configuration

# Add to your server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation=(self), microphone=()";

IIS Configuration

<!-- Add to web.config -->
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'" />
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
      <add name="Permissions-Policy" value="geolocation=(self), microphone=()" />
    </customHeaders>
  </httpProtocol>
</system.webServer>
Advertisement
Your security solution could be here

Troubleshooting Common Issues

Content-Security-Policy

Problem: Too restrictive policy breaks site functionality
Solution: Start with report-only mode (Content-Security-Policy-Report-Only) and monitor console errors before enforcing

Strict-Transport-Security

Problem: Max-age too short or missing includeSubDomains
Solution: Use max-age=31536000 (1 year) and includeSubDomains for full protection

X-Frame-Options

Problem: Missing or misconfigured
Solution: Set to SAMEORIGIN unless you specifically need to allow framing from other domains

Security Header Best Practices

Implementation Strategy

  1. Start with report-only mode for CSP to monitor potential issues
  2. Implement headers incrementally, testing after each change
  3. Use the most restrictive policies that still allow your site to function
  4. Regularly audit your headers for necessary adjustments

Testing Recommendations

  • Test with browser developer tools open to catch any console errors
  • Verify headers using our Security Headers Analyzer tool
  • Check different pages and user flows to ensure no functionality is broken

Security Headers and SEO Impact

While security headers aren't a direct ranking factor, they contribute to overall site security which is increasingly important for search rankings. Google has confirmed that secure sites may receive a ranking boost. Key benefits include:

  • Improved trust signals for search engines
  • Protection against SEO-harming attacks like content injection
  • Better user experience through enhanced security

Ready to secure your website?

Scan Your Site Now
Advertisement
Your security solution could be here