What are HTTP security headers — and which ones does your site actually need?

If you run a security scan on your site and it comes back with a wall of warnings about missing headers, the temptation is to either panic or ignore it entirely. Neither helps. Most of these are genuinely straightforward to fix — the tricky part is knowing which ones actually matter and why.

Strict-Transport-Security is the one I'd add first. It tells browsers to only ever connect to your site over HTTPS, even if someone types http:// or follows an old link. Without it, there's a class of attack on public WiFi where someone can intercept the initial unencrypted request before your site redirects to HTTPS. One header, five minutes to add, never think about it again.

For nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Enter fullscreen mode

What are HTTP security headers — and which ones does your site actually need?

Other newsrooms on this story

Related reading

Web security headers + HSTS + CSP

Stop Pasting URLs into Security Header Sites - Use This CLI

I built a security scanner, never shipped it, and finally finished the job

WordPress security: the 10-minute monthly checklist that catches real problems

Google Confirms 2 Critical New Flaws—How To Jump The Update Queue

How To Fix Google Chrome’s 14 New Critical Security Vulnerabilities