What is this
We check a set of HTTP security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options (or frame-ancestors via CSP), Referrer-Policy, and Permissions-Policy. Together they layer extra protection on top of TLS.
Why it matters
These headers shut down concrete attacks: CSP blocks XSS, X-Content-Type-Options blocks MIME sniffing, frame-ancestors blocks clickjacking, Referrer-Policy leaks less info, Permissions-Policy restricts sensitive browser APIs.
How to fix it
TransIP: On VPS, in nginx add add_header X-Content-Type-Options nosniff always; and the rest. On Managed WordPress, use a plugin like Headers Security Advanced & HSTS WP.
CloudFlare: Rules > Transform Rules > Modify Response Header. Add a rule per header on all URLs. Or use a Worker. For CSP, start with Content-Security-Policy-Report-Only first.
Strato or Antagonist: Add .htaccess lines: Header always set X-Content-Type-Options "nosniff", Header always set Referrer-Policy "strict-origin-when-cross-origin", and build CSP up step by step.
Other: Follow OWASP Secure Headers and apply them in your web server or edge layer. Test CSP in Content-Security-Policy-Report-Only mode before enforcing.
Verify
Securityheaders.com. Target: A or A+. Or curl -sI https://yourdomain.com | grep -iE 'content-security|x-frame|x-content|referrer|permissions'.