The short answer
You cannot set custom HTTP security headers on a Squarespace site. Not on any plan. Squarespace controls the server response, and there is no setting that changes it.
The confusion usually starts with Code Injection. Code Injection puts markup inside your page <head>. A security header is sent by the server, before the page even arrives. Pasting header text into Code Injection does nothing at all.
The Developer Platform does not rescue you either. It cannot add server-side custom code, and it is version-restricted: it works on Squarespace 7.0 only, not on 7.1, which is what effectively every new site is built on. It is version-restricted rather than gone, but for most owners reading this it is simply not an option.
Now the better news. Squarespace already sends most of the headers you were worried about.
What Squarespace already gives you
At the time of writing, a Squarespace site responds with these by default, with no work from you. These are our own July 2026 measurements rather than something Squarespace documents, so they can drift over time and vary by edge location.
HSTS with a max-age of 180 days. Browsers will stick to HTTPS on return visits. You could not add this yourself even if you wanted to, because HSTS is header-only by specification.
Set to nosniff, which stops browsers guessing file types. This is the header most small sites are missing, and you get it free.
Set to SAMEORIGIN, which stops other sites putting your pages in an iframe. That is solid anti-clickjacking protection.
Not set. This is the one real gap, and happily it is the one you can close yourself. See the next section.
The one header you can actually add
Squarespace ships no Referrer-Policy. Referrer-Policy is the rare security header that browsers also honour as an HTML meta tag, so you can add it through Code Injection.
Put this in your site header Code Injection:
<meta name="referrer" content="strict-origin-when-cross-origin">Note it is name="referrer", not http-equiv. That is the correct form and browsers honour it. Save, then reload your site and confirm it is present in the page source.
Why the same trick will not work for the rest
Worth understanding, so you do not lose an afternoon to it. Meta tags are not a general stand-in for HTTP headers:
- →X-Frame-Options as a meta tag does nothing at all. Browsers ignore it completely. Plenty of blog posts recommend it anyway. Squarespace already sends the real header set to SAMEORIGIN, so you are covered regardless.
- →HSTS is header-only by specification. There is no meta tag version, and there never will be. Squarespace already sends it.
- →CSP partly works as a meta tag, but the directives people most want are ignored in meta form, including frame-ancestors, report-uri and sandbox. A meta CSP is also easy to get wrong and can break your own site. If you want to understand what you would be giving up, read our short CSP explainer.
- →Referrer-Policy is the exception, which is exactly why the snippet above is worth doing.
What about putting Cloudflare in front?
This is the one place where accuracy matters, because it is easy to overstate in either direction.
Squarespace says Cloudflare "falls outside the scope of Squarespace support". In the same breath they concede: "If you have advanced needs, you can connect your domain to Cloudflare for additional protection." Read that carefully. That is Squarespace saying they will not help you troubleshoot it, not Squarespace saying do not do it. It is a meaningfully softer position than some other platforms take.
So it is a real option if you have the skills and accept that you own the outcome. If something breaks, you are fixing it yourself. For most Squarespace owners, adding a whole extra layer in front of the site to gain one or two headers is not a trade worth making. If you have a Cloudflare-competent person in the building already, it is a reasonable conversation to have.
What we would actually do
Add the Referrer-Policy meta tag. Then stop. Squarespace covers HSTS, nosniff and framing protection for you, which is decent coverage already, and the gaps left over are not worth restructuring your site to close.
Put the effort where you still have full control instead. Your SPF record and DMARC record live in DNS, not in Squarespace, so nothing is blocking you there. Those stop people sending fake email in your name, which is a far more common attack on a small business than clickjacking.
Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.
Run a free checkFrequently asked questions
Can I add security headers through Squarespace Code Injection?
Only Referrer-Policy, and only as a meta tag. Code Injection adds markup to your page head. It cannot set HTTP headers, because those are sent by the server before the page is delivered. The good news is Squarespace already sends HSTS, X-Content-Type-Options and X-Frame-Options by default.
Does the Squarespace Developer Platform let me set headers?
No. It cannot add server-side custom code, so it cannot set response headers. It is also version-restricted to Squarespace 7.0 and is not available on 7.1, which is what new sites are built on. For most owners it is not an option at all.
Would a higher Squarespace plan give me header control?
No. This is not a plan limit you can pay your way past. Custom security headers are not available on any Squarespace plan.
Should I put Cloudflare in front of my Squarespace site to add headers?
It is possible, and Squarespace themselves acknowledge that you can connect your domain to Cloudflare for additional protection if you have advanced needs. But they also say Cloudflare falls outside the scope of Squarespace support, so you own any problems that follow. For most sites, adding a whole layer for one or two headers is not worth it.
Will a failed security headers check hurt my site?
Less than you would think on Squarespace, because the platform already sets the important ones. A scanner that just counts headers can make your site look worse than it is. Run a free check to see what your site actually sends today, then close the one gap you can control.