Implement HTTP Security Headers

Implement HTTP Security Headers

HTTP Security Headers are HTTP response headers that define if security precautions should be activated or deactivated on a web browser.

HTTP security headers are a fundamental part of website security protecting your website against attacks like clickjacking, code injection, MIME types, and XSS, etc.

By simply adding the following headers you can improve your website security dramatically;

Content Security Policy header (CSP)
The HTTP Content Security Policy response header restricts the resources allowed to load within a website efectively whitelisting content sources on your website.

Cross Site Scripting Protection header (X-XSS)
The X-XSS header protects against Cross-Site Scripting attacks preventing a page from loading when it detects a cross-site scripting attack.

HTTP Strict Transport Security header (HSTS)
Many website owners have installed an SSL/TLS certificate and migrated from HTTP to HTTPS which is great but there's an additional step that is often overlooked.

Many websites that are migrated to HTTPS are still available over HTTP which defeats the object.

This is where HSTS enters the equation, if a site is equipped with HTTPS, the server forces the browser to communicate over secure HTTPS entirely eliminating the possibility of an HTTP connection.

X-Content-Type-Options header
The X-Content-Type header offers a countermeasure against MIME sniffing by instructing the browser to follow the MIME types indicated in the header.

X-Frame-Options header
The X-Frame-Options header protects against
Clickjacking which is an an attack that tricks a user into clicking an invisible webpage element or is disguised as another element. This can cause users unknowingly to download malware, visit malicious web pages, reveal credentials and sensitive information, transfer money, purchase products etc.

Typically an invisible page or HTML element is present inside an iframe, on top of the page the user is viewing. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional invisible page on top of it.

The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside an Iframe enabling you to prevent others from embedding your content.

From the results below you will see that this site still achieves an A rating without a Content Security Policy which we are in the process of implementing, we achieve A+ ratings for many of our clients.

Visit the Security Headers Website and test your site for free.

You can also add your website to Chrome's HSTS preload list which is a list of sites that are hardcoded into Chrome as being HTTPS only. Most major browsers also have HSTS preload lists based on the Chrome list. Visit the HSTS preload submission site for details.

If you require assistance implementing security headers on your website submit a ticket on our helpdesk and we will get back to you. SUBMIT TICKET

Related Posts


09 January 2024
This release continues Joomla’s high standards in accessible web design, highlighting Joomla's values of inclusiveness, simplicity and security into an even mor...
15 November 2023
Work included Producing a staging environment, PHP and hosting re-configuration, MySQL upgrade from 5.6 to 8.0, removal of unnecessary code and Joomla extension...
28 October 2023
This is a commercial security release, 3.10.14-elts. The adjustments are: Backport of fix for CVE-2023-40626, "Core - Exposure of environment variables" Click o...


For promoting your brands, products or services, sharing news, or simply communicating with your site visitors we can produce branded fully responsive email templates....
Production of website logos from existing designs, optimise existing logos for website use, or design new logos for use on your website.
A new website design can be applied to an existing website, or a new website is created and existing databases, content and graphics are imported as required.

We provide remote on demand and routine Website Development, Website Maintenance, Website Support, Website Marketing and Website Hosting services to both end users and web design studios alike all over the world.

Latest statistics.
Websites and Projects
Support Tickets
Ticket Replies

CONTACT US via our online form if you need help with your website or hosting, or wish to discuss a new project and need some advice and we will get back to you with the available options.