HTTP security headers are directives your server sends with every response, telling browsers how to handle your content. They block common attacks like clickjacking, XSS, and protocol downgrade attacks. They're primarily security measures, but several of them affect SEO and site trust directly.
Google's Lighthouse "Best Practices" score penalizes sites missing the main ones. More practically, browsers warn users about insecure sites — and that warning appears before someone even reads your content.
The Critical Security Headers
1. Strict-Transport-Security (HSTS)
HSTS tells browsers to always use HTTPS when visiting your site, cutting out SSL stripping attacks and eliminating the unnecessary HTTP redirect hop on every first visit.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload- max-age=31536000 — Remember for 1 year (in seconds)
- includeSubDomains — Apply to all subdomains (recommended, but see the warning below)
- preload — Submit to browsers' HSTS preload lists so browsers use HTTPS before the first visit
SEO impact: Eliminates the HTTP to HTTPS redirect, saving ~100ms on first load. Required for HSTS preload, which improves overall trust scores.
⚠️ Only add includeSubDomains if every single subdomain uses HTTPS. One HTTP subdomain with HSTS includeSubDomains enabled will block access to that subdomain entirely.
2. Content-Security-Policy (CSP)
CSP is the most powerful security header, and the most complex. It tells the browser which sources are allowed to load scripts, styles, fonts, and images — blocking XSS attacks at the source.
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com; img-src 'self' data: https:;A strict CSP takes work to get right. Start with Content-Security-Policy-Report-Only to test without breaking anything in production:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reportSEO impact: CSP affects Lighthouse Best Practices scores. It also blocks injected third-party scripts, which protects your site's authority and reputation.
3. X-Frame-Options
Prevents your site from being embedded in iframes on other sites, stopping clickjacking attacks where users think they're clicking your UI but are actually interacting with a transparent iframe overlay.
X-Frame-Options: SAMEORIGINOptions:
DENY— No iframes anywhereSAMEORIGIN— Allow same-origin iframes only (recommended for most sites)ALLOW-FROM https://trusted.example.com— Allow specific origins (deprecated in modern browsers)
X-Frame-Options is superseded by CSP's frame-ancestors directive in modern browsers, but set both for backwards compatibility.
4. X-Content-Type-Options
Prevents browsers from "sniffing" content types — a simple protection against MIME confusion attacks.
X-Content-Type-Options: nosniffAdd this always. One line, zero downsides.
5. Referrer-Policy
Controls how much referrer information gets sent when users navigate from your site to other sites.
Referrer-Policy: strict-origin-when-cross-originThis sends the full URL for same-origin requests (keeping analytics intact) and only the origin for cross-origin requests. It balances analytics accuracy with privacy.
SEO impact: Setting no-referrer breaks Google Analytics referral tracking. Use strict-origin-when-cross-origin or same-origin if you need to preserve referral data.
6. Permissions-Policy (Formerly Feature-Policy)
Controls which browser APIs are available to your site and embedded content. You can disable camera, microphone, geolocation access entirely if your site doesn't need them.
Permissions-Policy: camera=(), microphone=(), geolocation=(self)Adding this tells users and crawlers you're not doing anything unexpected with sensitive device APIs.
How to Implement Security Headers
Next.js (next.config.js)
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
];
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: securityHeaders,
}];
},
};Vercel (vercel.json)
{
"headers": [
{
"source": "/(.*)",
"headers": [
{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains" },
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "X-Frame-Options", "value": "SAMEORIGIN" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
]
}
]
}Nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Checking Your Security Headers
Use our free HTTP Header Checker to see exactly which headers your site returns, how they're configured, and get an A-F security grade. The tool checks all headers above and flags common misconfigurations.
For deeper analysis: securityheaders.com (by Scott Helme) for grading, and Mozilla Observatory for a fuller security audit.
Security Headers SEO Checklist
- ✅ HSTS with max-age ≥ 1 year
- ✅ X-Content-Type-Options: nosniff
- ✅ X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors)
- ✅ Referrer-Policy set (not no-referrer if you use analytics)
- ✅ Content-Security-Policy (or at minimum CSP-Report-Only to start)
- ✅ Permissions-Policy configured
Security headers take about an hour to implement correctly. HSTS and X-Content-Type-Options are a 10-minute win with no tradeoffs. Start there.