HOW TO FIX MISSING SECURITY HEADERS

Essential Security Headers Every Website Needs

Security headers are HTTP response headers that instruct the browser how to behave when handling your site content. Missing headers leave your site vulnerable to XSS, clickjacking, MIME sniffing, and other attacks.

• +Content-Security-Policy (CSP) — Prevents XSS by controlling which resources can load
• +Strict-Transport-Security (HSTS) — Forces HTTPS connections, prevents downgrade attacks
• +X-Frame-Options — Prevents clickjacking by blocking iframe embedding
• +X-Content-Type-Options: nosniff — Prevents MIME type sniffing
• +Referrer-Policy — Controls how much referrer information is shared
• +Permissions-Policy — Restricts browser feature access (camera, microphone, etc.)
• +X-XSS-Protection: 0 — Disables legacy XSS filter (use CSP instead)

How to Add Headers in Different Frameworks

The method for adding security headers varies by framework and hosting platform. In Next.js, use the headers() function in next.config.js. In Express.js, use the helmet middleware. In Nginx, add headers in the server or location block. In Apache, use the Header directive in .htaccess. ScanMyVibe detects your framework and generates framework-specific fix prompts automatically.

Verify Your Headers with ScanMyVibe

After adding headers, verify they are correctly configured by running a scan at scanmyvibe.co/scan. ScanMyVibe checks not just for header presence but also for correct values. For example, a CSP header with unsafe-inline may be present but still insecure. ScanMyVibe flags these nuances and provides specific remediation guidance.