Website security headers explained
HSTS, CSP and the headers that improve trust, SEO and protection against common attacks.
Start with the basics
At minimum, serve your site over HTTPS with HSTS, X-Content-Type-Options, X-Frame-Options and Referrer-Policy. These reduce clickjacking, MIME sniffing and accidental HTTP downgrade issues.
Check what you already have
Use the site check and security scan tools to see which headers are present and which are missing. Hosting panels and CDNs often add some automatically, but not all.
Improve over time
Content-Security-Policy is the most powerful header but needs tuning for analytics, fonts and embeds. Add it carefully in report-only mode first if your site uses third-party scripts.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
MFA for business teams
Why every account needs a second factor — and how to roll it out without locking staff out on Monday morning.
- Passwords are not enough
- Choose the right methods
Essential Eight for small business
What the ACSC Essential Eight maturity model means in practice — and a realistic path for Melbourne SMEs.
- What the Essential Eight is
- Start where attackers start