Website-Pflichtencheckby Jurono
SecurityWebsiteTechnicalMaintenancePrivacy

Security headers: the underrated website check for browser protection

HTTP security headers such as CSP, HSTS, and Referrer-Policy are small configurations with large impact. Website teams should treat them as maintenance, not as a one-time scan.

By Jurono
Updated: July 7, 2026

Many website projects only look at security when something visibly breaks: login fails, form spam explodes, a plugin vulnerability appears, or a client asks for a security scan. But there is a quieter baseline that should be checked much earlier: HTTP security headers.

Security headers are not a firewall and they do not replace clean code. But they give the browser clear rules: which sources may load scripts, whether the site should always use HTTPS, how much referrer information is sent to external services, and whether the page may be embedded in other sites.

OWASP describes HTTP headers as an easy-to-implement booster for web security. MDN documents, among other things, that Content Security Policy can restrict loaded resources and help guard against cross-site scripting, HSTS tells browsers to use HTTPS for future requests, and Referrer-Policy controls how much referrer information is sent with requests.

Why headers belong in website audits

For small business sites, WordPress projects, SaaS landing pages, and agency builds, headers are often split across hosting, CMS, CDN, framework, and reverse proxy. That is where gaps appear:

  • The CDN sets HSTS, but the staging domain breaks.
  • The framework sets default headers, but the reverse proxy overwrites them.
  • A cookie banner or chat widget needs external scripts and the CSP is opened too widely.
  • Referrer-Policy is missing and campaign URLs with parameters are unnecessarily sent to third parties.
  • X-Powered-By exposes framework details without benefit.
  • Old headers such as X-XSS-Protection are copied blindly, even though modern guidance usually focuses on CSP instead.

The problem is rarely one missing header. The problem is that nobody knows which layer controls them.

The practical minimum check

A website check should not just paste an online scanner score. A better audit is small and reproducible:

  1. Test production: which headers are delivered on the homepage, subpages, login, forms, and checkout?
  2. Check redirects: does HTTP reliably redirect to HTTPS? Are headers set after the final redirect?
  3. Review CSP honestly: is there a real policy, or mostly unsafe-inline and wildcards?
  4. Roll out HSTS carefully: test with a short duration first; use long durations and subdomains only when certificates and subdomains are under control.
  5. Set Referrer-Policy: for many sites, strict-origin-when-cross-origin is a useful starting point.
  6. Prevent MIME sniffing: use X-Content-Type-Options: nosniff and serve correct content types.
  7. Control embedding: use CSP frame-ancestors if pages should not be embedded elsewhere.
  8. Review caching for sensitive pages: login, account, checkout, and internal areas need different rules from public assets.

CSP without self-destruction

Content Security Policy is powerful, but it is also the header most likely to break a site. A policy that is too strict can break forms, payments, tracking, videos, or consent banners. A policy that is too loose looks good but protects little.

A safer rollout looks like this:

  • Inventory external scripts, styles, images, frames, and APIs.
  • Start with Content-Security-Policy-Report-Only.
  • Collect violations and decide deliberately what must be allowed.
  • Enforce gradually.
  • Treat every new third-party integration as a CSP change.

For agencies, this is a useful handover point. If a client later adds a new tracking pixel, it should be clear that this is not only marketing work. It changes security configuration too.

Headers as maintenance

Security headers are not a one-time ticket. They change with hosting, CDN, framework, plugins, and third-party tools. They belong in maintenance:

  • Recheck after relaunches or hosting migrations.
  • Compare headers after CDN or proxy changes.
  • Test CSP after new form, payment, chat, or tracking tools.
  • Run a header scan once per quarter.
  • Document header ownership in the repository or operations handbook.

Conclusion

HTTP security headers are boring in the best way. They do not make a landing page prettier and they do not sell the product. But they reduce unnecessary attack surface, protect users, and show whether a website team controls its infrastructure. A good website check should therefore review not only plugins, performance, and cookie banners, but also the headers the browser actually receives.

Sources

Note: This article is a technical overview and does not constitute legal advice.

Jurono logo

Jurono

Technical website audits, website fixes, and AI code rescue for small businesses, practices, law firms, and founders in Germany.

Get our free security checklist before you go.

Download free PDF

Matching offers

Move forward directly

Based on the topics in this article — without a long search.

Pflichtencheck Pro

When the website matters, but nobody knows which technical required signals, risks, and fixes actually have priority.

549

Audit, assessment, and concrete action plan within 3-5 business days.

  • Everything from the Quick Scan, assessed and documented in more depth
  • Concrete findings for cookie, tracking, and external service signals
  • Visible required areas checked technically, without legal advice
Request Pflichtencheck Pro

Website Protection & Maintenance

For small businesses without an internal web team that need ongoing technical calm instead of occasional emergencies.

279/month

Monthly technical support after a short onboarding check.

  • Updates and backups supported in a controlled way depending on system access
  • Monthly short check for new technical findings
  • Up to 90 minutes of small changes or fixes per month
Get clarity with Website Protection & Maintenance

Website Quick Scan

When nobody is sure which scripts, cookie signals, or technical risks are currently running on the site.

249

Technical first assessment and clear priorities within two business days.

  • Quickly see whether tracking, cookies, external services, or HTTPS look suspicious
  • Mobile, load time, and technical issues explained in plain language
  • The most important points in a short priority list
Start Website Quick Scan

Get clarity before you commit to fixes.

Start with a technical check. If the findings are minor, you can stop there, hand the report to your existing team, or book targeted fixes later.

Technical audit and implementation, not legal advice. I check visible signals, integrations, and delivery issues; legal texts and binding legal assessments remain the work of lawyers or privacy consultants.

Security headers: the underrated website check for browser protection