HTTP security headers are instructions your server sends with every page that tell the browser how to protect your visitors, for example to always use HTTPS or to block your site being framed by attackers. Adding the missing ones lifts your Security Headers score.
See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.
Add this to your .htaccess file in the site root:
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Content-Security-Policy "default-src 'self'; img-src 'self' https: data:; script-src 'self'" </IfModule>
Only enable HSTS once you are sure the whole site works on HTTPS, as it is hard to undo in visitors browsers.
Inside your server { } block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; img-src 'self' https: data:; script-src 'self'" always;
Reload nginx after saving (nginx -s reload).
.htaccess.CSP is the most powerful header but also the one most likely to break things if it is too strict, because it can block your own scripts and styles. Start with a permissive policy, watch for blocked resources in your browser console, then tighten it. Even a basic CSP is better than none and improves your score.
Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.