Improve your trust score

Adding security headers

HTTP security headers are instructions your server sends with every page that tell the browser how to protect your visitors, for example to always use HTTPS or to block your site being framed by attackers. Adding the missing ones lifts your Security Headers score.

See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.

01

The headers we check

  • Strict-Transport-Security (HSTS) forces browsers to only ever connect over HTTPS, preventing downgrade attacks.
  • Content-Security-Policy (CSP) controls what scripts and resources may load, the strongest defence against cross-site scripting.
  • X-Frame-Options stops other sites embedding yours in a frame (clickjacking).
  • X-Content-Type-Options stops the browser guessing file types, which can be abused.
  • Referrer-Policy limits how much address information leaks when visitors click away.
02

Apache (.htaccess)

Add this to your .htaccess file in the site root:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Content-Security-Policy "default-src 'self'; img-src 'self' https: data:; script-src 'self'"
</IfModule>

Only enable HSTS once you are sure the whole site works on HTTPS, as it is hard to undo in visitors browsers.

03

Nginx

Inside your server { } block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https: data:; script-src 'self'" always;

Reload nginx after saving (nginx -s reload).

04

WordPress & Cloudflare

  • WordPress: a security plugin (e.g. one that manages headers) can add all of these from the dashboard without editing files. Alternatively add the Apache snippet above to .htaccess.
  • Cloudflare: use Rules, Transform Rules, Modify Response Header to add each header at the edge, no origin changes needed. HSTS has its own toggle under SSL/TLS, Edge Certificates.
05

A note on Content-Security-Policy

CSP is the most powerful header but also the one most likely to break things if it is too strict, because it can block your own scripts and styles. Start with a permissive policy, watch for blocked resources in your browser console, then tighten it. Even a basic CSP is better than none and improves your score.

Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.