Security headers protect your site from attacks that directly damage SEO: injected spam content, malicious redirects, phishing overlays, and data breaches that trigger browser warnings. Google deindexes hacked sites. Proper security headers are the first line of defense.
Essential Security Headers
Content-Security-Policy (CSP)
CSP prevents cross-site scripting (XSS) attacks that inject spam links and malicious redirects into your pages. A hacked page with injected pharmacy links will be deindexed.
# Strict CSP for a typical marketing site
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self';
Key directives for SEO:
frame-ancestors 'none': Prevents clickjacking (replaces X-Frame-Options)base-uri 'self': Prevents base tag injection that redirects all linksform-action 'self': Prevents form hijacking
Strict-Transport-Security (HSTS)
Forces HTTPS connections, preventing SSL stripping attacks and mixed content warnings:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age=31536000: Enforce for 1 yearincludeSubDomains: Apply to all subdomainspreload: Submit to the HSTS preload list at hstspreload.org for browser-level enforcement
Without HSTS, a man-in-the-middle attacker can inject content into HTTP versions of your pages, causing duplicate content and security warnings that destroy trust signals.
X-Content-Type-Options
Prevents MIME type sniffing, which can turn uploaded files into executable scripts:
X-Content-Type-Options: nosniff
Referrer-Policy
Controls how much referrer information is shared when users click outbound links:
Referrer-Policy: strict-origin-when-cross-origin
This sends the full URL as referrer for same-origin requests (useful for analytics) but only the origin for cross-origin requests (protects URL-embedded data).
Permissions-Policy
Restricts browser features that can be abused for fingerprinting or surveillance:
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
The interest-cohort=() directive opts out of FLoC/Topics API if you prefer not to participate in Google's privacy sandbox.
Complete Server Configurations
Nginx
server {
listen 443 ssl http2;
server_name example.com;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'" always;
# Remove server version disclosure
server_tokens off;
}
Caddy
example.com {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:"
-Server
}
}
Apache
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:"
</IfModule>
Testing Security Headers
Online Scanners
- securityheaders.com: Grades your headers A+ through F. Target A or A+.
- observatory.mozilla.org: Mozilla's comprehensive security scanner with specific recommendations.
Command Line
# Check all response headers
curl -sI https://example.com | grep -iE "strict-transport|content-security|x-frame|x-content|referrer-policy|permissions-policy"
# Check for HSTS preload eligibility
curl -sI https://example.com | grep -i strict-transport
# Must show: max-age >= 31536000, includeSubDomains, preload
SEO-Specific Security Concerns
Google Safe Browsing
Sites flagged by Google Safe Browsing display browser warnings that eliminate virtually all organic traffic. Security headers prevent the attack vectors that lead to flagging:
- XSS injection of malicious scripts (prevented by CSP)
- Clickjacking to overlay phishing forms (prevented by X-Frame-Options)
- Mixed content that enables interception (prevented by HSTS)
HTTPS as a Ranking Signal
HTTPS is a confirmed Google ranking factor. HSTS with preloading ensures every request uses HTTPS, eliminating any HTTP->HTTPS redirect latency and preventing mixed content that degrades page experience scores.
Monitoring
- Run securityheaders.com monthly and track your grade
- Set up uptime monitoring that checks for the presence of critical headers
- Monitor Google Search Console for security issues under the "Security & Manual Actions" section
- Review CSP violation reports if you enable
report-uriorreport-todirectives
A single successful hack can undo years of SEO work. Security headers take 15 minutes to implement and prevent the most common attack vectors that lead to deindexation.