Practical website security
Check and improve your website security headers
HTTP response headers give browsers instructions that can reduce common risks such as clickjacking, content injection, MIME confusion and accidental information leakage. Here is a practical way to check your site and improve it safely with Cloudflare.
1. Run a baseline scan
- Open SecurityHeaders.com.
- Enter your public HTTPS website address.
- Record the grade and the missing or weak headers.
- Repeat the scan after each controlled change.
A strong scanner grade is useful, but it does not prove that a website is secure. It measures a specific layer of browser-facing protection, not application vulnerabilities, authentication, patching or server configuration.
2. Understand the main headers
Controls which scripts, styles, images, frames and connections the browser may load.
Tells browsers to use HTTPS for future visits after a secure connection has been established.
Use CSP
frame-ancestors, and where appropriate X-Frame-Options, to reduce clickjacking risk.nosniff prevents browsers from guessing a different content type.Limits how much referring-page information is sent to other websites.
Restricts browser capabilities such as camera, microphone and geolocation when they are not required.
3. Add headers with Cloudflare
- Confirm the domain is using Cloudflare DNS and the relevant record is proxied.
- In Cloudflare, review Managed Transforms and enable the security-header option where it suits the site.
- For site-specific requirements, create a Response Header Transform Rule that sets the required response headers.
- Apply rules to the intended hostname or paths rather than assuming one policy fits every application.
- Purge relevant cache entries if necessary, then inspect the browser response headers and scan again.
Cloudflare documents both Managed Transforms and Response Header Transform Rules.
Test before enforcing
- A restrictive Content Security Policy can break forms, analytics, payment providers, embedded content and third-party scripts.
- Use
Content-Security-Policy-Report-Onlyfirst when developing a complex policy and review violations before enforcement. - Do not enable HSTS until the website and every affected subdomain work correctly over HTTPS. Be especially cautious with
includeSubDomainsand preload. - Test logins, forms, file downloads, media, mobile layouts and integrations after each change.
- Keep a record of the previous values so changes can be rolled back quickly.
A sensible improvement cycle
Scan → document → change one control → test → rescan → monitor.
This approach produces a defensible improvement without chasing a grade at the expense of a working website.