How to improve your website security with HTTP header instructions?

The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.

Available options

Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

Content-Security-Policy: <policy-directive>; <policy-directive>

More information about CSP is to be found on the Mozilla Developpers website at:

Strict Transport Security

If your website runs in HTTPS, adding HSTS ensures that all traffic is sent through HTTPS.

Strict-Transport-Security "max-age=631138519; includeSubDomains"

The Preload option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTPS enabled. To submit your domain for inclusion on this list, you may follow this link.

X Frame Options

Disallow your page to be embedded within a <frame>, <iframe> or <object>.

X-Frame-Options DENY

X Content Type Options

Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.

X-Content-Type-Options nosniff

X XSS Protection

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

X-XSS-Protection: 1; mode=block


Implementation varies depending on your website’s server.


For an Apache web server implementation, the Set header instruction is to be used in the .htaccess file.


For an nginx web server implementation, the add_header instruction is to be used.


For an IIS web server implementation, the instructions are to be added in the <customHeaders> section.


For a web server agnostic implementation, the PHP header instruction can also be used.


For a web server agnostic implementation, the HTML http-equiv meta tag can also be used.


For a WordPress implementation, the PHP header instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.


Make sure to run the Page, Header & Cookie Security Analyser. is a useful resource for evaluating your web site’s security.

13 thoughts on “How to improve your website security with HTTP header instructions?”

  1. Hi,

    I installed your plugin to include HSTS headers, however, when I ran the site through the preload list checker, it stated that I was trying to add HSTS headers to an HTTP link. I am very confused by this as we already have SSL enabled on the site.

    Please review my site: I want to know if this is an issue with the 301 redirects not working properly.

    Thanks in advance,


    1. You are right, HSTS headers need to be posted only when connected in HTTPS. I need to add a test. Will try to do it quickly. Thanks for taking the time to post your comment.


  2. Hi. Great plugin! I’ve installed on all five of my WP sites. There are all configured similarly, but curiously, only 3 of the 5 are redirecting to HTTPS when you try to go to the HTTP version. All have HSTS forced through the plugin.

    I can’t figure out the difference that would redirect 3 but not all five.

    1. Thanks for your comment.
      For HSTS to work, once setup, you need to visit the web site in HTTPS once as HSTS is only active in HTTPS. This will allow the setting to be recorded on your browser.
      Once everything is OK, you can submit your web site for default inclusion on browsers.

      1. Thanks but still having a problem. When I go to submit to I get

        ” Error: No redirect from HTTP”

        Even though Force HSTS is selected. As I mentioned, I have same settings on 5 WP blogs, but only 2 are not redirecting HTTP. The other 3 work fine. Any other suggestions?


  3. I’m doing that right now, I’ve tried my self directly on functions or htaccess but it breaks my website. I’ll try to use a plugin to see if it solves the problem someway, thanks for the advices.

    Best Regards

  4. Hi Carl, I’m using your wordpress plugin for every WordPress site I run and I must say I’m very satisfied. I only have 1 question since I can’t get my head around the message and fixing it.

    I keep getting this message on my websites: “Error with Feature-Policy header: Unrecognized feature: ‘document-domain'”

    No matter what I fill in at the Document-domain I keep getting this error. Can you help me with this one?

    Thank you in advance,

    With kind regards,

  5. Hi, thank you very much!

    This post and WordPress plugin helped me to secure my site. My site was graded ‘F’. After installing the plugin and completing the various headers (like HSTS, Expect-CT, X-Frame options, Referrer-Policy, XSS, disabling content sniffing, CSP and feature policy), my site’s security header performance was upgraded to A+ level. A check can be performed on

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.