When a browser loads your website, your server sends back more than just the HTML. It also sends a set of response headers - metadata that instructs the browser how to behave. Most of these headers are mundane (content type, cache instructions), but a handful are specifically designed to protect your visitors from attacks.
These are HTTP security headers, and the majority of websites are not using them. Adding them takes about five minutes on a cPanel host and costs nothing.
What Security Headers Actually Do
Think of security headers as instructions you give to the browser on behalf of your site. "Only load content from domains I trust." "Do not let other sites embed me in an iframe." "Always use HTTPS, even if someone types HTTP." The browser follows these instructions, which shuts down entire categories of attack.
Without these headers, browsers make liberal assumptions - and attackers exploit those assumptions.
The Key Headers You Should Be Using
Strict-Transport-Security (HSTS)
This header tells browsers to always use HTTPS when visiting your site, even if a user types http:// in the address bar. It prevents SSL-stripping attacks where a man-in-the-middle downgrades your connection to plain HTTP.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Only add this if your site is fully on HTTPS. The max-age value is in seconds - 31536000 is one year.
X-Frame-Options
This prevents your site from being loaded inside an <iframe> on another domain. Without it, attackers can use a technique called clickjacking - overlaying your site invisibly inside their page and tricking users into clicking things they cannot see.
X-Frame-Options: SAMEORIGIN
SAMEORIGIN allows framing only from your own domain. DENY blocks all framing entirely.
X-Content-Type-Options
Browsers sometimes try to be helpful by guessing the content type of a file rather than trusting what the server says. Attackers exploit this - a file uploaded as an image might actually contain executable JavaScript. This header stops that guessing.
X-Content-Type-Options: nosniff
Referrer-Policy
When someone clicks a link on your site, their browser sends the URL they came from to the destination site. This can leak sensitive information (like the fact that a user was on your pricing page). This header controls what referrer information is shared.
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy (CSP)
CSP is the most powerful - and the most complex - security header. It lets you whitelist exactly which domains are allowed to serve scripts, styles, images, and other resources on your site. If a cross-site scripting (XSS) attack injects a malicious script, CSP prevents it from loading.
A basic starting policy:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
Start in report-only mode (Content-Security-Policy-Report-Only) before enforcing, as a misconfigured CSP can break your site by blocking legitimate resources.
How to Add Headers via .htaccess in cPanel
On Apache-based cPanel hosting, you add security headers in your .htaccess file, which lives in your public_html directory.
- In cPanel, go to File Manager
- Navigate to
public_html - Find
.htaccess- if you do not see it, click Settings and enable "Show Hidden Files" - Right-click and select Edit
- Add the following block, ideally near the top of the file:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
Save the file. Changes take effect immediately - no server restart needed.
If you are running WordPress and have a caching plugin, clear the cache after making changes so the new headers are served to all visitors.
Testing Your Headers
Once added, verify your headers are working correctly at securityheaders.com. Enter your domain and run the scan. The tool grades your headers from A+ to F and explains exactly what is missing and why it matters.
Aim for a B or higher on your first pass. Getting to A+ requires a well-configured Content-Security-Policy, which takes more work but is worth pursuing for sites handling user data or payments.
Run this test periodically - plugin updates and theme changes can occasionally modify your .htaccess file and remove headers you have set.
