A browser security mechanism related to Headers. See the full explanation above.

Missing or misconfigured settings expose your users to attacks. See the details above.

Headers

What Are HTTP Security Headers and Why Do They Matter?

Security headers are instructions your server sends to browsers alongside every response. They tell the browser what to do — and what to refuse — when handling your page. Most web servers send none by default.

The gap between HTTPS and secure

Having an HTTPS certificate does not make a site secure. It only means the connection is encrypted in transit. Once the page loads, a browser with no security headers will:

Run any inline script (including injected ones)
Load resources from any domain
Allow your page to be embedded in iframes on other sites
Send your URL as a referrer to every third-party resource
Allow any website to use your users' camera and microphone if you do

Security headers close these gaps.

The headers that matter

Strict-Transport-Security

Tells browsers to only connect to your site via HTTPS, even if the user types http://. Prevents SSL stripping attacks on subsequent visits.

Content-Security-Policy

Defines which resources are allowed to load. The main defense against XSS — blocks injected scripts even if they get into your HTML.

X-Frame-Options

Prevents your page from being embedded in iframes on other sites. Blocks clickjacking attacks.

X-Content-Type-Options: nosniff

Prevents browsers from guessing the content type of a response. Without it, browsers may execute a text file as JavaScript if it looks like code.

Referrer-Policy

Controls how much URL information is shared when users navigate away from your site. Without it, full URLs including query strings (which may contain session tokens) are sent to third parties.

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your page and embedded iframes can access. Third-party scripts in your page cannot access features you have not explicitly allowed.

How to check yours

Use HeadersFixer — it fetches your live URL, reads the response headers, and shows exactly which security headers are missing or misconfigured. It generates the exact config for your stack: Nginx, Apache, Vercel, Cloudflare, Express, Caddy, or Next.js.

Scan your security headers → HeadersFixer