Security headers are one of the simplest ways to improve a website’s browser-side security posture, but they are often either ignored or copied blindly from somebody else’s stack. Both approaches cause problems. No headers leaves useful protections on the table, while bad headers can break your site.
This guide explains how to set up the most common security headers on Apache or Nginx in a practical way.
Start with the low-risk wins
Headers such as X-Content-Type-Options, X-Frame-Options and a sensible Referrer-Policy are usually straightforward and low risk to implement.
Be more careful with Content Security Policy
CSP is powerful, but it is the easiest header to get wrong. Plan it around what your site actually loads rather than copying a random policy and wondering why half the front end breaks.
Apply changes, then test properly
Do not just assume the headers are being served. Check responses, test important user journeys and confirm you have not broken integrations or embedded content.
Final thoughts
Basic security headers are worth adding to most sites, but they should be deliberate. A small amount of planning now saves a lot of front-end confusion later.