Security headers on your site — what each one does
2 min read
What "security headers" are
Every time someone loads a page on your site, the server (CloudFront, in our case) sends a few invisible headers alongside the actual HTML. These tell the browser how to handle the page — what other domains it's allowed to talk to, whether it can be embedded in an iframe, and so on.
A handful of these headers are explicitly about security. SiteGlowUp sets all of them by default; you don't need to do anything.
What's set on your site
| Header | What it does | Customer action |
|---|---|---|
| Strict-Transport-Security | Forces every connection to use HTTPS, even if a link starts with http://. Includes HSTS preload. | None — set automatically |
| X-Content-Type-Options: nosniff | Stops browsers from guessing file types (can prevent some upload-based attacks). | None — set automatically |
| Referrer-Policy: strict-origin-when-cross-origin | Limits how much information about your site is shared when visitors click a link off your site. | None — set automatically |
| Permissions-Policy | Disables access to camera, microphone, geolocation by default — your site never silently asks the browser for those. | None — set automatically |
| Content-Security-Policy | The big one. Limits where scripts/styles can come from, who can embed your site, etc. Includes 'unsafe-inline' so the contact form works — see Why CSP shows 'unsafe-inline'. | Dismiss if a scanner flags this |
| X-Frame-Options | Older anti-iframe header. Not set — superseded by CSP frame-ancestors. See Why X-Frame-Options is missing. | Dismiss if a scanner flags this |
| Cross-Origin-Resource-Policy: cross-origin | Lets images/fonts/embeds load across the custom domain + CloudFront subdomain. Intentionally permissive. | None |
| X-XSS-Protection: 1; mode=block | Legacy header for very old browsers; harmless to include. | None |
When a scanner flags something
If a tool like Mozilla Observatory or securityheaders.com flags your site:
- For CSP or X-Frame-Options — click Dismiss on the Health page. We've explained the trade-off in the linked help articles.
- For SSL/TLS — click Managed. AWS manages your cert and TLS config automatically; you can't change it yourself.
- For anything else — email support@siteglowup.ai with the scan output. Most of the time the scanner is checking for a header we already set under a slightly different name or value.