Implement Security Headers to Secure your Website with A+ Rating?

Security headers are HTTP response directives that tell browsers how to behave when handling your website’s content. Implementing the right set of security headers is the fastest way to secure your website with an A+ rating on tools like SecurityHeaders.com and SSL Labs. This guide covers every required header, how to add it, and how to verify your A+ score.

What Is a Website Security Rating and Why Does It Matter?

A website security rating is a letter grade (A+ to F) assigned by independent scanners based on which HTTP security headers your server sends. An A+ rating means your site correctly implements all critical headers that prevent common browser-based attacks like cross-site scripting (XSS), clickjacking, MIME sniffing, and protocol downgrade attacks.

Google has confirmed that HTTPS and security posture factor into its trust signals. Beyond SEO, a poor security rating can trigger browser warnings, reduce user trust, and leave your site open to data theft. If you have faced a cyberattack on your website, you can also consult cyber expert Anuraag Singh for a professional security audit.

How to Check Your Current Website Security Rating?

Before making any changes, benchmark your current score:

• SecurityHeaders.com — Enter your domain to get an instant letter-grade report showing which headers are missing or misconfigured.
• SSL Labs (ssllabs.com/ssltest) — Tests your TLS configuration and certificate quality separately.
• Mozilla Observatory — Provides a combined view of HTTP headers, cookies, and TLS settings.

Run your domain through SecurityHeaders.com first. Note every red row — those are the headers you need to add. Related: understand how different types of cyberattacks target websites.

Which Security Headers Do You Need for an A+ Rating?

The following six headers are required by most scanners to achieve an A+ rating. Each section explains what the header does, the recommended value, and where to add it.

1. HTTP Strict-Transport-Security (HSTS)

HSTS forces browsers to connect to your site over HTTPS only, preventing protocol-downgrade attacks and cookie hijacking. Once a browser sees this header, it will refuse plain HTTP connections for the duration of the max-age period.

Recommended value:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

What each directive means:

• max-age=31536000 — Enforces HTTPS for one year (365 days).
• includeSubDomains — Applies the rule to all subdomains.
• preload — Allows your domain to be submitted to browser preload lists so HSTS is enforced even on the very first visit.

Important: Only add the preload directive after you have tested HSTS without it, because removing your domain from preload lists takes months.

2. Content-Security-Policy (CSP)

CSP is the most powerful — and most complex — security header. It tells the browser which sources of scripts, styles, images, and other resources are trusted. Any resource not on the whitelist is blocked, which prevents XSS attacks from injecting malicious scripts.

Starter value for most WordPress sites:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none';

Start with Content-Security-Policy-Report-Only mode to log violations without blocking content, then tighten the policy once you have reviewed the violation reports.

3. X-Frame-Options

This header controls whether your site can be embedded inside an <iframe> on another domain. Clickjacking attacks trick users by embedding your site invisibly inside a malicious page. Setting X-Frame-Options to DENY or SAMEORIGIN blocks this.

Recommended value:

X-Frame-Options: SAMEORIGIN

Use DENY if your site never needs to appear in any iframe, or SAMEORIGIN if your own pages embed content from the same domain. Note: CSP’s frame-ancestors directive supersedes X-Frame-Options in modern browsers, so set both for maximum compatibility.

4. X-Content-Type-Options

MIME sniffing is when a browser guesses a file’s content type rather than trusting what the server declares. Attackers exploit this to make browsers execute malicious files as scripts. This one-value header stops MIME sniffing completely.

Recommended value:

X-Content-Type-Options: nosniff

This is a simple header with no configuration options. Every site should include it.

5. Referrer-Policy

When a user clicks a link, browsers send a Referer header to the destination site revealing where the visitor came from. This can leak session tokens or sensitive URL parameters. Referrer-Policy gives you control over what is shared.

Recommended value:

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL to same-origin requests (useful for analytics) but only the origin (no path or query string) to cross-origin destinations, and nothing at all when navigating from HTTPS to HTTP.

6. Permissions-Policy

Permissions-Policy (formerly Feature-Policy) controls which browser APIs and hardware features your pages can access — camera, microphone, geolocation, payment, and more. Restricting these reduces the risk of malicious third-party scripts abusing sensitive device features.

Recommended value:

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Adjust the list based on features your site genuinely uses. Empty parentheses () mean the feature is blocked entirely.

How to Add Security Headers to Your Website?

The method depends on your server or CMS. Below are the most common approaches.

Apache (.htaccess)

Add the following inside your .htaccess file inside a <IfModule mod_headers.c> block:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"
</IfModule>

Nginx (nginx.conf or site config)

Add inside your server {} block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;

After editing, run nginx -t to validate the config and systemctl reload nginx to apply it.

WordPress Plugins

If you do not have direct server access, plugins like Headers and Footers by WPBeginner or HTTP Headers can inject security headers via PHP. However, server-level headers are always preferred because they are set before PHP executes and cannot be overridden by plugins.

How to Verify Your A+ Rating After Implementation?

After adding your headers, verify your score:

• Go to SecurityHeaders.com → enter your domain → check the grade. All rows should be green.
• Open your browser DevTools (F12) → Network tab → click any request → inspect the Response Headers section to confirm each header is present.
• Run SSL Labs to confirm your TLS configuration earns an A or A+ separately.
• Re-check after deploying any new plugin or CDN, as these can remove or override headers you have set.

If you see orange or red rows on SecurityHeaders.com, compare the exact header name against your server config for typos. A single misspelled directive will cause that header to be ignored entirely.

What Are Common Mistakes That Prevent an A+ Rating?

• Mixed content — Serving HTTP resources on an HTTPS page breaks HSTS and can lower your SSL Labs grade.
• Overly permissive CSP — Using 'unsafe-eval' or * wildcard sources defeats the purpose of CSP and may downgrade your score.
• Missing preload on HSTS — SecurityHeaders.com requires the preload directive for an A+ (not just A).
• CDN stripping headers — Some CDN configurations strip custom response headers. Check your CDN’s “Response Header” pass-through settings.
• Plugin conflicts — Security plugins that manage headers can conflict with server-level headers, resulting in duplicate or contradictory values.

How to Report a Website Security Issue?

If you have discovered a vulnerability on your own website or a client’s website, report it responsibly:

• Report to CERT-In at cert-in.org.in for Indian websites.
• Contact the website owner’s security team via their published security.txt or responsible disclosure policy.
• If your website has been compromised, call Cyber Crime Helpline 1930 or file a complaint at cybercrime.gov.in.

For a professional website security audit and hands-on help implementing security headers, contact cyber expert Anuraag Singh.