How to add Security Headers to your Website

Security headers are important for your website

In this guide, we will cover how to add security headers to your website.  It’s important to learn how to do for a couple reasons:

  1. Security headers are served up from the Server, just like the content.  When you visit a website, if that servers content gets hacked, then you may see some bad material, or you may click on something and download a virus.  However, if that webpage has the correct security headers, it prevents the browser from displaying the malicious content completely! 
  2. Google recognizes the security risks of not having security headers present on your website, and thus will rank you higher, leading to more traffic, if you have them correctly installed.

To learn about what Security headers are more in depth, and what types there are, read our article What are http Security Headers.

Learn how to add security headers to your website.

how do I add security headers to my website?

To add these important security headers to your website, it is first important to determine which kind of server environment you are on.  

The primary server types are ApacheIIS, and nginx.  There are also AWS, and GWS but we will only be focusing on Apache & IIS.  If you are on shared hosting, it is most likely cpanel or plesk.  

For GoDaddy Managed WordPress hosting, follow the instructions as if you were on cpanel. Regardless of your server type, the process is much the same.  


*It is important to understand that you NEED and SSL certificate to add http security headers to your website.  If you do not have one installed, this will break your website, so do not proceed.  You can check if you have one by replacing ‘http://’ with ‘https://’ in front of the website. 

Before proceeding, make sure you make a backup of that file at this moment, before you make any further changes!

1)  First, find the control file.  For cpanel and Managed WordPress plans, this will be your .htaccess file.  For IIS, it’s the web.config file. 

2)  Inside of the .htaccess file, add these following lines to the end:

					<IfModule mod_rewrite.c>
Header always set Strict-Transport-Security max-age=31536000 env=REDIRECT_HTTPS
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
RequestHeader set X-HTTPS 1
Header set Referrer-Policy "no-referrer-when-downgrade"

3)  Now save the file, and flush any cache plugins you have.  Visit to see if it is working.  You can learn about the various types of security headers here.


If you have http to https redirects, or other rewrite rules, the headers may unset with the presence of more than one of them.  

You can try using ‘always’, or you can try using env=HTTPS, or getting rid of the env= altogether.  WordPress uses the REDIRECT_HTTPS specifically.