Why Security Headers Matter for SEO
Security headers are HTTP response headers that instruct browsers how to handle your site's content. They prevent clickjacking, XSS attacks, and data injection. They also signal to Google that your site is professionally maintained — which affects rankings.
Browsers warn users when sites fail these checks. Google actively deprioritizes sites with security issues. And if your site gets flagged for a security vulnerability, you can lose years of SEO progress overnight.
Here are the 10 headers every site should have, in order of priority:
1. Strict-Transport-Security (HSTS)
[CODEBLOCK] Strict-Transport-Security: max-age=31536000; includeSubDomains; preload [CODEBLOCK]
Forces browsers to use HTTPS for all future visits. Once set, browsers will refuse to connect via HTTP. Add 'preload' to be included in browser HSTS preload lists.
2. Content-Security-Policy (CSP)
[CODEBLOCK] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' [CODEBLOCK]
The most powerful security header. Restricts which resources the browser can load and from where. Prevents XSS attacks. Start with a basic policy and tighten it over time.
3. X-Content-Type-Options
[CODEBLOCK] X-Content-Type-Options: nosniff [CODEBLOCK]
Prevents browsers from MIME-sniffing a response away from the declared content type. Stops certain attack vectors that rely on content type confusion. One line. No excuses.
4. X-Frame-Options
[CODEBLOCK] X-Frame-Options: DENY [CODEBLOCK]
Prevents your site from being embedded in iframes on other domains. Protects against clickjacking attacks where an attacker overlays an invisible iframe over their page. Use 'SAMEORIGIN' if you need iframe embedding on your own domain.
5. Referrer-Policy
[CODEBLOCK] Referrer-Policy: strict-origin-when-cross-origin [CODEBLOCK]
Controls how much referrer information is sent with requests. Prevents leaking sensitive URL parameters when users navigate away from your site.
6. Permissions-Policy
[CODEBLOCK] Permissions-Policy: camera=(), microphone=(), geolocation=() [CODEBLOCK]
Restricts which browser features your site can access. Disabling camera, microphone, and geolocation unless explicitly needed shows browsers and users your site isn't trying to do anything suspicious.
7. X-XSS-Protection
[CODEBLOCK] X-XSS-Protection: 1; mode=block [CODEBLOCK]
Legacy header (superseded by CSP) but still respected by older browsers. Enables the browser's built-in XSS filter. Worth including for compatibility.
8. Cross-Origin-Opener-Policy
[CODEBLOCK] Cross-Origin-Opener-Policy: same-origin [CODEBLOCK]
Prevents your page from being attacked via cross-origin popups. Required to use SharedArrayBuffer in modern browsers.
9. Cross-Origin-Embedder-Policy
[CODEBLOCK] Cross-Origin-Embedder-Policy: require-corp [CODEBLOCK]
Complements COOP. Ensures all resources loaded by your page explicitly opt in to cross-origin loading.
10. Cache-Control
[CODEBLOCK] Cache-Control: no-store, no-cache [CODEBLOCK]
For authenticated pages and sensitive content. Prevents browsers and proxies from caching responses that shouldn't be stored.
How to Add These Headers
Nginx: Add to your server block or a separate headers.conf file.
Apache: Use mod_headers in your .htaccess or virtual host config.
Cloudflare: Use Transform Rules to add response headers without touching your server.
Netlify: Add a '_headers' file in your publish directory or configure in netlify.toml.
Vercel / Next.js: Add to 'next.config.js' under 'headers()'.
Checking Your Headers
Run your site through FORGE's free security checker. It audits all critical security headers and tells you exactly which ones are missing, with specific instructions for your stack.
Most sites can go from 0 to full header compliance in under an hour.