Free Security Headers Checker

Article 32 of the GDPR requires appropriate technical and organisational measures to secure personal data. The text does not list HTTP headers. It leaves it to the data controller to determine what is appropriate given the risks.

In practice, the AP (Autoriteit Persoonsgegevens), the NCSC-NL, ENISA, OWASP and other supervisory authorities cite security headers as a baseline requirement for any website. The AP's published guidance and enforcement decisions consistently highlight TLS configuration and HTTP security headers as expected measures.

In the event of a data breach, the absence of security headers is an aggravating factor in the AP's analysis. This has occurred in several cases where the exploited vulnerability would have been blocked by a proper CSP policy or by HSTS.

This is not absolute protection. It is a baseline measure that any supervisory authority, including the AP, considers standard for a site processing personal data.

There are around fifteen HTTP headers related to security. Six of them do the heavy lifting.

Strict-Transport-Security (HSTS). Forces the browser to use HTTPS for all subsequent requests to your domain. Typical configuration: Strict-Transport-Security: max-age=31536000; includeSubDomains. Common mistake: enabling HSTS with a max-age that is too short or without includeSubDomains.

Content-Security-Policy (CSP). Controls which sources can load code on your page. It is the strongest defence against cross-site scripting. Difficult to configure without breaking the site. Start in report-only mode for two weeks before switching to enforce.

X-Frame-Options. Prevents your site from being displayed in an iframe on a third-party domain. Blocks clickjacking. Recommended value: SAMEORIGIN. Largely replaced by the frame-ancestors CSP directive, but keep it for older browsers.

X-Content-Type-Options. Only one useful value: nosniff. Prevents the browser from guessing the MIME type of a resource. Blocks a class of upload-based attacks.

Referrer-Policy. Controls the information sent in the Referer header during outbound navigation. Recommended value: strict-origin-when-cross-origin. Protects user privacy by limiting URL leaks to third-party sites.

Permissions-Policy. Disables browser APIs your site does not use. Camera, microphone, geolocation, sensors. Minimal typical configuration: Permissions-Policy: camera=(), microphone=(), geolocation=().

The three most common environments for a Dutch SME website: Apache, Nginx, and Cloudflare as a layer in front of the origin.

Apache (.htaccess or httpd.conf):

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

Nginx (inside the server block):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Cloudflare Transform Rules. From the Rules > Transform Rules > Modify Response Header tab, add each header as a separate rule. Advantage: no access to the origin server needed. Limitation: be careful not to define the same header twice, once on the origin and once on Cloudflare, which creates duplicate values that some browsers ignore.

Five mistakes appear in 90% of audits.

CSP too strict from the start. The site breaks, administrators revert to default-src * and give up. Solution: start with Content-Security-Policy-Report-Only with a reporting endpoint for two weeks, fix violations, then switch to enforce mode.

HSTS on a site that still alternates between HTTP and HTTPS. If part of the site loads over HTTP, the browser blocks everything after the first HTTPS visit. Make sure the entire site, including assets, is on HTTPS before enabling HSTS.

The duplicate header. Configured both in WordPress via a plugin and in Apache. The browser receives two values, often contradictory, and applies unpredictable behaviour. Centralise the configuration in one place.

X-Frame-Options without frame-ancestors CSP. X-Frame-Options alone is deprecated in newer browsers. Set both to cover old and new clients.

Referrer-Policy too permissive. The default in many frameworks is no-referrer-when-downgrade, which leaks full URLs. Switch to strict-origin-when-cross-origin. This is also a data minimisation measure under the GDPR.

Our free scanner tests these six headers alongside the other GDPR checks. For a targeted header-only test, use the tool at the top of this page.