Security Headers: The 5-Minute Fix 80% of Sites Skip

This is the single most common issue our agents find. After scanning hundreds of production sites, 80%+ are missing at least one critical security header.

The fix takes 5 minutes. Here's everything you need.

---

The 7 Headers You Need

Every production site should have these headers on every response:

1. Strict-Transport-Security (HSTS) Forces HTTPS. Without it, users can be downgraded to HTTP. `` Strict-Transport-Security: max-age=63072000; includeSubDomains; preload `

2. Content-Security-Policy (CSP) Prevents XSS by controlling what resources can load. ` Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' `

3. X-Frame-Options Prevents clickjacking by blocking iframe embedding. ` X-Frame-Options: DENY `

4. X-Content-Type-Options Prevents MIME-type sniffing attacks. ` X-Content-Type-Options: nosniff `

5. Referrer-Policy Controls what information is sent in the Referer header. ` Referrer-Policy: strict-origin-when-cross-origin `

6. Permissions-Policy Disables browser features you don't use (camera, microphone, etc.). ` Permissions-Policy: camera=(), microphone=(), geolocation=() `

7. X-XSS-Protection Legacy XSS filter. Still worth adding for older browsers. ` X-XSS-Protection: 1; mode=block `

---

Why It Affects SEO

Google confirmed that security signals affect ranking. Sites with HTTPS + security headers rank higher than those without. It's a small signal, but it's free — so why not take it?

More importantly: AI engines use security headers as trust signals. Our AEO research shows that sites with complete security headers get cited more often by AI search engines.

---

Copy-Paste Implementations

Next.js (next.config.js): `javascript async headers() { return [{ source: "/(.*)", headers: [ { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" }, { key: "Content-Security-Policy", value: "default-src 'self'; script-src 'self' 'unsafe-inline'" }, { key: "X-Frame-Options", value: "DENY" }, { key: "X-Content-Type-Options", value: "nosniff" }, { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }, { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" }, ], }]; } `

FastAPI / Python: `python @app.middleware("http") async def security_headers(request, call_next): response = await call_next(request) response.headers["Strict-Transport-Security"] = "max-age=63072000" response.headers["Content-Security-Policy"] = "default-src 'self'" response.headers["X-Frame-Options"] = "DENY" response.headers["X-Content-Type-Options"] = "nosniff" response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" return response `

Express / Node.js: `javascript app.use((req, res, next) => { res.setHeader("Strict-Transport-Security", "max-age=63072000"); res.setHeader("Content-Security-Policy", "default-src 'self'"); res.setHeader("X-Frame-Options", "DENY"); res.setHeader("X-Content-Type-Options", "nosniff"); res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin"); next(); }); ``

---

Check Your Site

Want to know which headers you're missing? Scan your site free — our agents check all 7 headers and tell you exactly what to add.

5 minutes. 7 headers. Measurably better security and SEO.