What Are HTTP Security Headers?

HTTP security headers are directives sent from a web server to a browser, instructing it how to behave when handling the site's content. They are invisible to users but critical for defence against a wide range of web attacks. VP Pulse's Security Headers Scoreboard checks major UK domains against six key headers.

Content-Security-Policy (CSP)

CSP is the most powerful security header — and the most complex to implement correctly. It tells browsers exactly which sources are allowed to load scripts, styles, images, and other resources on your page. A well-configured CSP prevents cross-site scripting (XSS) attacks by blocking unauthorised script execution.

Example: Content-Security-Policy: default-src 'self'; script-src 'self' https://www.google-analytics.com; img-src 'self' data: https:;

Many UK organisations still run without any CSP, leaving users vulnerable to XSS if an attacker can inject content into the page.

HTTP Strict Transport Security (HSTS)

HSTS instructs browsers to only access your site over HTTPS, never plain HTTP — even if the user types http:// or clicks an old HTTP link. This prevents SSL stripping attacks where an attacker downgrades the connection.

The key parameters: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The preload directive, combined with submission to the HSTS Preload List, means browsers will enforce HTTPS even on the very first visit — before any HTTP response is received. This is required for an SSL Labs A+ grade.

X-Frame-Options

This header prevents your site from being embedded in an iframe on another domain — blocking clickjacking attacks where an attacker overlays a transparent iframe over a legitimate UI. Set to DENY to block all framing, or SAMEORIGIN to allow only same-origin framing.

Note: CSP's frame-ancestors directive supersedes X-Frame-Options in modern browsers, but both should be set for compatibility.

X-Content-Type-Options

This single-value header — X-Content-Type-Options: nosniff — prevents browsers from MIME-sniffing responses. Without it, a browser might execute a file uploaded as an image if it detects JavaScript content inside it, bypassing file type restrictions.

Referrer-Policy

Controls how much referrer information is sent when users navigate from your site to external pages. Referrer-Policy: strict-origin-when-cross-origin sends the origin (domain) for same-origin requests and HTTPS cross-origin requests, but nothing for HTTP destinations — preventing URL-embedded tokens or user IDs from leaking to third parties.

Permissions-Policy

Formerly known as Feature-Policy, this header restricts which browser APIs third-party content on your page can access. Example: Permissions-Policy: camera=(), microphone=(), geolocation=() — preventing embedded analytics, adverts, or injected content from accessing the user's camera or location without explicit permission.

UK Website Header Scores

VP Pulse's Security Headers Scoreboard continuously audits major UK domains including BBC, GOV.UK, HMRC, and others. Government domains generally score well. Retail and hospitality sectors lag significantly — often lacking CSP and relying solely on HSTS and X-Content-Type-Options for a passing grade.

How to Add Security Headers

Headers can be added at the server level (Nginx, Apache), CDN level (Cloudflare, Vercel), or application level (Next.js, Django, etc.):

Cloudflare: Transform Rules → Modify Response Header
Vercel: vercel.json headers configuration
Nginx: add_header directives in server block
Apache: Header set directives in .htaccess or httpd.conf
Next.js: next.config.js headers() function

Check your UK domain's current security header score using VP Pulse's free domain scan. Results include which headers are present, which are missing, and a composite security score.

HTTP Security Headers: The Invisible Shield Protecting UK Websites