What are security headers? A plain-English guide

Security headers are short instructions your server sends with every page, telling the browser how to behave safely — refuse to load over plain HTTP, don't let another site frame you, don't guess file types. They're among the cheapest security wins there are, and almost every new site ships without them.
You don't rewrite your app to add them; they're configuration. Here's what the ones that matter actually do, in plain English.
Where they live
Every HTTP response has headers — metadata that rides alongside the page. Some are about caching or content type. A handful are about security: they tell the browser to switch on protections it won't enable on its own. Set them once at the server or framework level and every response carries them.
The headers worth knowing
Strict-Transport-Security (HSTS) tells the browser to only ever connect over HTTPS, even if someone types http://. It closes the window where a connection can be downgraded and intercepted.
X-Frame-Options (or the modern frame-ancestors directive) stops other sites from loading yours inside a hidden frame — the trick behind clickjacking, where a user thinks they're clicking one thing and are really clicking yours.
X-Content-Type-Options: nosniff stops the browser from second-guessing a file's type and running, say, an uploaded image as a script.
Content-Security-Policy (CSP) is the powerful one: it whitelists where scripts, styles, and images are allowed to come from, which shuts down most cross-site scripting. It's also the fiddliest to configure without breaking your own page.
Referrer-Policy controls how much of your URL is passed along when a user clicks out to another site — handy when your URLs contain anything you'd rather not leak.
Check what your site sends right now
You don't have to guess which of these you're missing — a scan of your live URL shows exactly what's set and what's absent, in seconds:
free tool · no loginSecurity headers checkPaste your URL and see which security headers are set and which are missing, with what each one does. No login.Adding them
Setting headers is framework-specific but rarely more than a config block. If you're on Next.js, we walk through exactly where they go — including the tricky CSP part — in how to add security headers in Next.js. They're also one line on the launch security checklist.
Set the headers, then keep the whole site watched.
The scanner above shows what's missing today. Tell Me When Down watches your site after — SSL that lapses, a page that goes down, an endpoint that starts erroring — free, no card, so you're not the last to know.
spot something wrong or out of date? [email protected] — we'll fix it