← Back to Index

Security Headers

FigureHow Security Headers act as a shield. CSP blocks malicious scripts, X-Frame prevents embedding, and HSTS forces encryption.

What are Security Headers?

While often ignored by content-focused SEOs, security headers are vital for Technical SEO. Google prioritizes user safety. A site that is easily hacked, redirects to spam, or serves mixed content will see its rankings plummet. These headers harden your site against client-side attacks.

Why it Matters for SEO

1. Trust & Authority

Google Chrome and other browsers explicitly warn users about insecure sites. Security headers (especially HSTS) prevent "Not Secure" warnings that kill bounce rates.

2. Preventing "Negative SEO"

Attacks like "Clickjacking" (overlaying invisible buttons on your site) can trick users into unintended actions. Security headers prevent your site from being framed or misused by attackers.

Key Headers Explained

Strict-Transport-Security (HSTS)

What it does: Tells the browser "Never load this site via HTTP again. Only use HTTPS."

Why use it: Prevents "downgrade attacks" and fixes mixed content warnings.

X-Content-Type-Options

Value: nosniff

What it does: Stops the browser from "guessing" file types.

Why use it: Prevents attackers from uploading a malicious script masquerading as an image file.

X-Frame-Options

Value: SAMEORIGIN or DENY

What it does: Prevents your site from being embedded in an <iframe> on another domain.

Why use it: Stops Clickjacking attacks where hackers overlay your site to steal clicks.

Content-Security-Policy (CSP)

What it does: The "Nuclear Option" of security. It defines exactly which domains are allowed to load scripts, images, and styles on your page.

Why use it: It is the most effective defense against Cross-Site Scripting (XSS).

Code Implementation (Nginx)

nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

How to Audit with Mygom

Our security check pings your server headers and grades you based on the presence of these standard protection mechanisms. A low score here indicates your users are vulnerable to browser-based attacks.