Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Shipping securely on a budget

What are security headers? A plain-English guide

July 18, 2026·5 min read
An ornate iron gate with a lock in low light — protections telling the browser how to behave.

Security headers are short instructions your server sends with every page, telling the browser how to behave safely — refuse to load over plain HTTP, don't let another site frame you, don't guess file types. They're among the cheapest security wins there are, and almost every new site ships without them.

You don't rewrite your app to add them; they're configuration. Here's what the ones that matter actually do, in plain English.

Where they live

Every HTTP response has headers — metadata that rides alongside the page. Some are about caching or content type. A handful are about security: they tell the browser to switch on protections it won't enable on its own. Set them once at the server or framework level and every response carries them.

The headers worth knowing

Strict-Transport-Security (HSTS) tells the browser to only ever connect over HTTPS, even if someone types http://. It closes the window where a connection can be downgraded and intercepted.

X-Frame-Options (or the modern frame-ancestors directive) stops other sites from loading yours inside a hidden frame — the trick behind clickjacking, where a user thinks they're clicking one thing and are really clicking yours.

X-Content-Type-Options: nosniff stops the browser from second-guessing a file's type and running, say, an uploaded image as a script.

Content-Security-Policy (CSP) is the powerful one: it whitelists where scripts, styles, and images are allowed to come from, which shuts down most cross-site scripting. It's also the fiddliest to configure without breaking your own page.

Referrer-Policy controls how much of your URL is passed along when a user clicks out to another site — handy when your URLs contain anything you'd rather not leak.

Missing headers rarely cause a visible problem, which is exactly why they stay missing. Nothing breaks, no error shows up — the protection simply isn't there, and you only find out if someone goes looking or exploits the gap.

Check what your site sends right now

You don't have to guess which of these you're missing — a scan of your live URL shows exactly what's set and what's absent, in seconds:

free tool · no loginSecurity headers checkPaste your URL and see which security headers are set and which are missing, with what each one does. No login.

Adding them

Setting headers is framework-specific but rarely more than a config block. If you're on Next.js, we walk through exactly where they go — including the tricky CSP part — in how to add security headers in Next.js. They're also one line on the launch security checklist.

Set the headers, then keep the whole site watched.

The scanner above shows what's missing today. Tell Me When Down watches your site after — SSL that lapses, a page that goes down, an endpoint that starts erroring — free, no card, so you're not the last to know.

Watch my sitefree · no card required
more on shipping securely on a budget
The website launch security checklist nobody hands youYou get a deploy button, not a checklist — so most sites launch with the cert valid and nothing else checked. The four things to test from your URL in seconds, plus the code-side items that cost the most.Website down from an expired SSL certificateAn expired certificate is a full outage — every visitor hits a red warning, though the server's fine. Here's why auto-renewal still fails silently, why shrinking cert lifetimes make it likelier, and how to see it coming.My website says "Not Secure" — what it means and how to fix itThe "Not secure" label looks like a hack but usually isn't — it means your site isn't using HTTPS properly. Here's what the browser is really saying, and the common causes in plain language, fixed one by one.How to add security headers in Next.js (including CSP)Next.js sends no security headers by default. The static ones are a config block; the hard part is a CSP that helps without blocking your own scripts. Here's the nonce approach, the report-only trick, and the version caveat.SSL certificate expiry monitoring: why the calendar reminder failsA calendar reminder assumes your renewal works. But auto-renewal is a background job that fails silently, and cert lifetimes are dropping to 47 days by 2029. Here's why manual SSL tracking breaks, and what to monitor instead.Secure, HttpOnly, SameSite: the cookie flags that matterThree small flags — Secure, HttpOnly, SameSite — decide whether your session cookie is a locked token or the easiest thing to steal on your site. Here's what each closes, and how to check which your cookies set.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com