Securing Your Site with HTTP Security Headers
What each security header does, why it matters, and how to add them to your server.
What SiteWatch checks
SiteWatch sends a request to your site and inspects the HTTP response headers for seven security headers. Each header gets a weighted score — the total is your security score out of 100.
| Header | Weight | Purpose |
|---|---|---|
| Content-Security-Policy (CSP) | 25 | Controls which resources the browser is allowed to load |
| Strict-Transport-Security (HSTS) | 20 | Forces browsers to always use HTTPS |
| X-Content-Type-Options | 15 | Prevents MIME type sniffing |
| X-Frame-Options | 15 | Blocks your site from being embedded in iframes |
| Referrer-Policy | 10 | Controls how much URL info leaks to other sites |
| Permissions-Policy | 10 | Restricts access to browser APIs (camera, mic, etc.) |
| X-XSS-Protection | 5 | Legacy XSS filter for older browsers |
SiteWatch also checks your site against Google Safe Browsing to detect malware, phishing, or unwanted software flags.
How to read your results
- Score 80-100: Good. Your site has most important headers.
- Score 40-79: Needs work. Key headers are missing.
- Score 0-39: Poor. Your site is exposed to common attacks.
Each missing header is listed with its point value. Focus on the high-value ones first: CSP (25 pts) and HSTS (20 pts) give you nearly half the score.
How to fix each header
Content-Security-Policy (25 pts)
CSP is the most impactful header. It tells the browser which sources of scripts, styles, images, and other resources are allowed. Without it, attackers can inject malicious scripts into your pages.
nginx:
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;" always;
Apache:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;"
Tip: Start restrictive (
default-src 'self') and gradually allow what you need. Check your browser console for CSP violations to find what to whitelist.
Strict-Transport-Security / HSTS (20 pts)
HSTS tells browsers to always connect over HTTPS, even if the user types http://. Without it, the first request can be intercepted.
nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Warning: Only enable HSTS after confirming HTTPS works perfectly on all subdomains. The
max-ageis one year — browsers will refuse HTTP for that long.
X-Content-Type-Options (15 pts)
Prevents browsers from guessing ("sniffing") the MIME type of responses. Without it, a text file could be executed as JavaScript.
nginx:
add_header X-Content-Type-Options "nosniff" always;
Apache:
Header always set X-Content-Type-Options "nosniff"
X-Frame-Options (15 pts)
Prevents your site from being loaded inside an iframe on another site. This blocks clickjacking attacks where users think they're clicking on something else.
nginx:
add_header X-Frame-Options "DENY" always;
Apache:
Header always set X-Frame-Options "DENY"
Use SAMEORIGIN instead of DENY if your site needs to iframe itself (e.g. for a preview feature).
Referrer-Policy (10 pts)
Controls how much information about the current page URL is sent to other sites when a user clicks a link. Without it, full URLs — including query parameters with tokens or user IDs — may leak.
nginx:
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache:
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy (10 pts)
Controls which browser features (camera, microphone, geolocation, payment) third-party scripts can access. Without it, any embedded script could request access.
nginx:
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
Apache:
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
X-XSS-Protection (5 pts)
A legacy header that activates the built-in XSS filter in older browsers. Modern browsers rely on CSP instead, but this is still worth adding for backward compatibility.
nginx:
add_header X-XSS-Protection "1; mode=block" always;
Apache:
Header always set X-XSS-Protection "1; mode=block"
All headers at once
Here's a complete nginx config block you can add to your server block:
# Security headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
add_header X-XSS-Protection "1; mode=block" always;
After adding the headers, reload your web server (nginx -s reload or systemctl restart apache2) and SiteWatch will pick up the changes on the next check.
Google Safe Browsing
If your site is flagged by Google Safe Browsing, it means Google has detected malware, phishing, or unwanted software on your pages. This is separate from the headers score and is always treated as a critical alert.
How to fix: 1. Go to Google Search Console → Security Issues 2. Review and fix the flagged content 3. Request a review from Google 4. The flag is typically removed within a few days after review