HttpFixer โ†’ Fix โ†’ Headers โ†’ Netlify

Fix Missing Security Headers on Netlify

Last updated: April 2026

Add security headers using the _headers file in your publish directory or netlify.toml.

Scan your Netlify site for missing headers โ†’

_headers file

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; object-src 'none'

netlify.toml alternative

[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
    X-Frame-Options = "SAMEORIGIN"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "strict-origin-when-cross-origin"
    Content-Security-Policy = "default-src 'self'; script-src 'self'; frame-ancestors 'none'; object-src 'none'"

Different headers per path

/*
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff

/api/*
  Cache-Control: no-store

Verify after deploy

curl -sI https://yoursite.netlify.app | grep -iE "strict|x-frame|x-content|referrer|content-security"
Related: Security headers on Vercel Security headers on Cloudflare Scan your headers live โ†’
📚 HttpFixer Blog โ€” fix guides, explainers, and references โ†’