The most valuable hour you can spend on your website security

There is a category of website vulnerability that costs nothing to fix, takes under an hour to implement, and is missing from the majority of UK small business websites. It does not require a developer, does not require server access, and does not require any code changes.

HTTP security headers. You have probably never heard of them. Your website is almost certainly missing them.

"Security headers are the easiest wins in website security. They do not eliminate all risk, but they close off entire categories of attack — clickjacking, cross-site scripting, information leakage — with a few lines of configuration."

— NCSC, Website Security Guidance for Organisations, 2025

The five headers that matter most

Content-Security-Policy
Content Security Policy (CSP)
Tells the browser exactly which sources of scripts, styles, images, and other resources are allowed to load on your page. Prevents injected malicious scripts from executing — even if they get past every other defence.
Blocks: cross-site scripting (XSS) attacks
X-Frame-Options
Clickjacking Protection
Prevents your website from being loaded invisibly inside another site's frame. Without it, attackers can trick users into clicking things on your site while thinking they're interacting with something else.
Blocks: clickjacking attacks on login and payment pages
X-Content-Type-Options
File-Type Protection
Stops browsers from guessing what type of content a file is. Without it, a browser might execute a malicious JavaScript file uploaded as an image. The fix is three words. Zero downside. Zero complexity.
Blocks: MIME-type confusion attacks
Referrer-Policy
Referrer Information Control
Controls what URL information is sent when users click links to external sites. Without it, sensitive URL parameters (password reset tokens, session IDs) can leak to third-party websites.
Blocks: sensitive data leakage via referrer headers
Permissions-Policy
Browser Feature Control
Controls which browser features your site can use: camera, microphone, geolocation, payment APIs. If your site does not need geolocation access, tell the browser it should never grant it.
Reduces: attack surface for browser feature exploitation

How to add security headers: the Cloudflare method

If your website uses Cloudflare (and it should — the free tier is excellent), adding security headers requires no server access and no code changes:

  1. Log in to Cloudflare → select your domain
  2. Go to Rules → Transform Rules → Response Header Modification
  3. Create a new rule that applies to all requests
  4. Add each header as a Set Header action with the appropriate value
  5. Deploy the rule and verify using securityheaders.com

How to add security headers: server configuration

If you manage your own server, headers can be added directly:

Apache (.htaccess):

Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Nginx (nginx.conf):

add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
Check your current headers for free

Go to securityheaders.com and enter your domain. You will get an instant grade (A+ to F) and see exactly which headers are missing. Most UK small business sites score a D or F.

78% of UK small business websites we audit are missing the Content-Security-Policy header ProtectPatch audit data, 2025–2026

Key takeaways

  • Security headers are instructions from your server to visitors' browsers that block entire categories of attack
  • 78% of UK small business sites are missing the Content-Security-Policy header
  • All headers can be added via Cloudflare in under an hour at zero cost
  • CSP prevents script injection attacks; X-Frame-Options prevents clickjacking
  • Check your current score for free at securityheaders.com