PluginsArmorProCitedProBoostPro
PricingDocsBlogAboutGet Started

Security Headers

Configure HTTP security headers to protect against common attacks.

Last updated Feb 3, 2025

What are Security Headers?

Security headers are HTTP response headers that tell browsers how to behave when handling your site's content. They help protect against cross-site scripting (XSS), clickjacking, and other common attacks.

Go to ArmorPro → Headers to configure your security headers.

Basic Headers (Free)

X-Content-Type-Options

Value:nosniff

Prevents browsers from MIME-type sniffing. Without this, a browser might interpret a file differently than intended, potentially executing malicious content.

Recommendation: Always enable.

X-Frame-Options

Options:DENY or SAMEORIGIN

Prevents your site from being embedded in iframes, protecting against clickjacking attacks where attackers overlay invisible frames to hijack clicks.

  • DENY — Never allow framing (most secure)
  • SAMEORIGIN — Only allow framing from your own domain

Recommendation: Use SAMEORIGIN unless you have a specific reason to block all framing.

Referrer-Policy

Options: Various (see below)

Controls how much referrer information is sent when users navigate away from your site.

  • no-referrer — Never send referrer (most private)
  • strict-origin-when-cross-origin — Send full URL to same origin, only origin to other sites (recommended)
  • no-referrer-when-downgrade — Send referrer except when going from HTTPS to HTTP

Recommendation: Use strict-origin-when-cross-origin.

X-XSS-Protection

Value:1; mode=block

Enables the browser's built-in XSS filter. While modern browsers have moved away from this, it doesn't hurt to include it for older browsers.

Recommendation: Enable for compatibility with older browsers.

Advanced Headers (Pro)

Strict-Transport-Security (HSTS)

Tells browsers to only connect to your site via HTTPS, even if the user types http://.

Options:

  • max-age — How long (in seconds) to remember this setting (1 year recommended)
  • includeSubDomains — Apply to all subdomains
  • preload — Submit to browser preload lists

Warning

Only enable HSTS if you're 100% committed to HTTPS. Once enabled with a long max-age, you cannot easily go back to HTTP.

Content-Security-Policy (CSP)

Defines which sources are allowed to load content on your site. This is the most powerful security header but also the most complex.

Common directives:

  • default-src — Default policy for all content types
  • script-src — Where scripts can be loaded from
  • style-src — Where stylesheets can be loaded from
  • img-src — Where images can be loaded from
  • font-src — Where fonts can be loaded from
  • connect-src — Where AJAX/fetch requests can go

ArmorPro Pro provides a CSP builder to help you create a policy without writing raw headers. Start with report-only mode to identify issues before enforcing.

Permissions-Policy

Controls which browser features your site can use:

  • camera — Access to camera
  • microphone — Access to microphone
  • geolocation — Access to location
  • payment — Payment request API

If your site doesn't use these features, disable them to prevent potential abuse.

Testing Your Headers

After configuring headers, verify they're working:

  1. Visit securityheaders.com
  2. Enter your site URL
  3. Review your grade and any missing headers

Aim for an A grade. With all basic headers enabled, you should easily achieve this.

Duplicate Header Prevention

Some hosts or plugins may add their own security headers, causing duplicates. ArmorPro automatically detects and removes duplicate headers to prevent conflicts.

If you see warnings about duplicates in the ArmorPro dashboard, check:

  • Your hosting control panel's security settings
  • Other security plugins
  • .htaccess rules (if on Apache)
  • Server configuration
Previous← Firewall & Rule ManagementNextIP Management →