Practical website security

Check and improve your website security headers

HTTP response headers give browsers instructions that can reduce common risks such as clickjacking, content injection, MIME confusion and accidental information leakage. Here is a practical way to check your site and improve it safely with Cloudflare.

Scan Your Website Ask Us to Review It

1. Run a baseline scan

  1. Open SecurityHeaders.com.
  2. Enter your public HTTPS website address.
  3. Record the grade and the missing or weak headers.
  4. Repeat the scan after each controlled change.

A strong scanner grade is useful, but it does not prove that a website is secure. It measures a specific layer of browser-facing protection, not application vulnerabilities, authentication, patching or server configuration.

2. Understand the main headers

Content-Security-Policy
Controls which scripts, styles, images, frames and connections the browser may load.
Strict-Transport-Security
Tells browsers to use HTTPS for future visits after a secure connection has been established.
Frame protection
Use CSP frame-ancestors, and where appropriate X-Frame-Options, to reduce clickjacking risk.
X-Content-Type-Options
nosniff prevents browsers from guessing a different content type.
Referrer-Policy
Limits how much referring-page information is sent to other websites.
Permissions-Policy
Restricts browser capabilities such as camera, microphone and geolocation when they are not required.

3. Add headers with Cloudflare

  1. Confirm the domain is using Cloudflare DNS and the relevant record is proxied.
  2. In Cloudflare, review Managed Transforms and enable the security-header option where it suits the site.
  3. For site-specific requirements, create a Response Header Transform Rule that sets the required response headers.
  4. Apply rules to the intended hostname or paths rather than assuming one policy fits every application.
  5. Purge relevant cache entries if necessary, then inspect the browser response headers and scan again.

Cloudflare documents both Managed Transforms and Response Header Transform Rules.

Test before enforcing

A sensible improvement cycle

Scan → document → change one control → test → rescan → monitor.

This approach produces a defensible improvement without chasing a grade at the expense of a working website.

Need help reviewing a site or implementing Cloudflare response headers safely?

Book a Security Review