Not many people regularly check and update the security headers on their websites.
There are services available, such as Security Headers by Snyk - https://securityheaders.com/ - that analyse the HTTP response headers of other sites. However, Security Headers also have a grading system for results.
The HTTP response headers they analyse provide massive levels of protection, and it's vital that websites deploy them. With an easy mechanism to assess them and further information on how to deploy missing headers, more websites should utilise security-based headers across the Internet.
In early September 2025, I checked the security headers on my website - https:/www.borrett.id.au/ - and got a C grade. Not bad, but time to make it better.
I added the following security headers at the beginning of my .htaccess file:
# Add X-Content-Type-Options header
Header set X-Content-Type-Options "nosniff"
# Protect against "ClickJacking" attacks
Header always set X-Frame-Options "SAMEORIGIN"
# Add a Referrer-Policy
Header set Referrer-Policy "no-referrer-when-downgrade"
# Add a Strict-Transport-Security header
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
# Add a Permissions-Policy header
Header set Permissions-Policy "geolocation=(self), microphone=(self), camera=(self), fullscreen=*, accelerometer=(self), autoplay=(self)"
I uploaded the changes and retested. Yippee, Grade A! Who's a clever boy?
Okay, so there is one issue - Content-Security-Policy.
Content Security Policy is an effective measure to protect a website from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
I looked into it, and it's not an easy one to get right. Not wanting to risk messing things up, I passed on it. I'm happy with the results I've got.
You should regularly check your Security Headers. New headers are introduced from time to time, and it typically pays to implement them. Right now, there are three upcoming headers:
Cross-Origin-Embedder-Policy: Cross-Origin Embedder Policy allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.
Cross-Origin-Opener-Policy: Cross-Origin Opener Policy allows a site to opt-in to Cross-Origin Isolation in the browser.
Cross-Origin-Resource-Policy: Cross-Origin Resource Policy allows a resource owner to specify who can load the resource.
I'll look into implementing them on my website in due course.