Most sites are missing 4 security headers that take under an hour to add. CSP, X-Frame-Options, HSTS, Referrer-Policy — here's the exact implementation for each, with copy-paste configs.
Run your site through observatory.mozilla.org right now. If you haven't set security headers deliberately, there's a good chance you'll see a D or F. I've audited dozens of production sites and the missing header list is nearly always the same four.
The good news: these are all HTTP response headers. There's no code change required, no architectural refactor. Add them to your web server or CDN config, deploy, and you're protected. The whole thing takes under 30 minutes.
Run: curl -I https://your-site.com and look at the response headers. Or use securityheaders.com for a visual report. 30 seconds, shows exactly what you're missing.
Without a CSP, an attacker who can inject a script tag into your page can run arbitrary JavaScript in your users' browsers. CSP tells the browser exactly which origins are allowed to load scripts, styles, and other resources.
Pro tip: Start with Content-Security-Policy-Report-Only to see violations without enforcing. Run it for a week, check the reports, then switch to enforcement mode.
Without HSTS, even a site with HTTPS is vulnerable to SSL stripping — an attacker on the same network can intercept the initial HTTP connection and prevent the upgrade to HTTPS. HSTS tells the browser to never try HTTP for this domain.
Clickjacking: an attacker loads your site in a transparent iframe overlaid on something enticing. The user thinks they're clicking on the attacker's page but they're actually clicking on yours — a "confirm payment" button, an "allow permissions" button.
By default, browsers send the full Referrer URL when users navigate away from your site. If your URLs contain user IDs, tokens, or search queries, those values get sent to every external site your users visit from yours.
Re-run observatory.mozilla.org and securityheaders.com. You should be looking at an A or A+. If not, the reports tell you exactly what's still missing.
These headers aren't a complete security posture. They don't replace dependency auditing, authentication design, or input validation. But they're the fastest, highest-ROI security improvement available to any web application — and there's no excuse for not having them on a production site.
A Venom-Audit covers security headers, dependency CVEs, HTTPS configuration, and more — with severity-tagged findings and exact fix instructions.
Book an Audit →