Launch Readiness Checker logo Launch Readiness Checker History
Launch Readiness Checker Security Headers

Security Headers: Add a Basic Response Hardening Layer

Security headers do not replace secure code, but they reduce common browser-side risks.

A public launch should include a sensible baseline.

What It Is

Security headers are HTTP response headers that instruct the browser how to handle framing, transport, MIME types, referrers, and related behavior.

Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Why It Matters

  • They reduce avoidable exposure to common browser-level issues.
  • They help enforce safer defaults across public traffic.
  • They add trust and operational maturity to the deployment.

Best Practices

  1. Ship a minimal baseline such as HSTS, X-Content-Type-Options, and Referrer-Policy.
  2. Add X-Frame-Options or CSP framing rules where appropriate.
  3. Test headers after CDN and proxy layers, not just locally.

Common Mistakes

  • No security headers on production responses.
  • Setting headers only on one route instead of the whole app.
  • Breaking behavior with untested restrictive policies.

Quick Checklist

  • Baseline headers present.
  • Values tested on the public response.
  • No regressions introduced by policy rules.

Final Takeaway

Security headers are part of disciplined delivery. They should not be an afterthought.

Run this check on your own page

Open the tool and analyze a public URL to see this section inside the full report.

Back to checker

Continue to your tool account

Use Google or email. New tool accounts are created automatically the first time you continue.

Google logo Continue with Google Connecting to Google...
We'll email you a 6-digit one-time code. Entering it on the next screen signs you in and creates your tool account automatically if needed.