How to Fix Missing Security Headers
Use this page when the Security Headers Analyzer shows missing or weak browser protections and you need a practical rollout sequence.
What This Means
Missing security headers do not all carry the same operational weight. The safest fix path starts with headers that materially change browser behavior, then stages stricter policy after the application and edge stack have been validated.
| Header family | What to check | Why it matters |
|---|---|---|
| CSP | Inline execution and third-party allowlists | Usually the highest-value browser policy improvement. |
| HSTS | HTTPS enforcement and preload readiness | Reduces downgrade risk when rollout is done safely. |
| Framing controls | Embedding policy for sensitive pages | Important for clickjacking resistance. |
| Browser defaults | NoSniff, Referrer-Policy, and related basics | Low-friction hardening should not stay absent. |
Common Causes
Patterns worth checking first
- Proxy drift: Headers were added at origin but stripped or replaced by the edge.
- Framework defaults: The app never enabled baseline security middleware or equivalent config.
- Fear of breakage: Teams delayed rollout because CSP or HSTS were not staged safely.
How To Confirm It Safely
Confirmation steps
- Inspect the final public response headers, not only local config files.
- Check whether CDN or reverse proxy layers modify the response.
- Separate missing headers from weak headers so rollout can be prioritized.
- Confirm which routes need stricter framing or CSP handling first.
Fix Workflow
- Set a baseline first. Add low-risk protections and verify the final public response carries them.
- Stage higher-impact policies. Roll CSP and stronger HSTS settings in controlled phases.
- Validate edge behavior. Confirm the proxy, CDN, or middleware stack is not overwriting the intended header set.
- Retest route behavior. Re-run the analyzer and confirm the public response now matches the plan.
Implementation Examples
Express baseline with Helmet
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: false,
frameguard: { action: 'deny' },
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
noSniff: true
}));Rollout Risks
A broad CSP can break pages if you skip report-only learning
CSP is powerful, but it should not be deployed as guesswork on script-heavy apps.
- Stage report-only where complexity is high.
- Use real browser telemetry before moving to enforcement.
HSTS can create recovery pain if certificate or subdomain hygiene is weak
Do not treat HSTS as a copy-paste header without checking HTTPS readiness.
- Validate certificate operations first.
- Promote includeSubDomains or preload only after inventory review.
Validation Checklist
Post-fix validation
- Final public responses include the intended headers after all proxies.
- Sensitive routes now carry the stricter browser policy you planned.
- No high-value header remains missing from the live response.
- The Security Headers Analyzer confirms the expected improvement.
FAQ
Should every missing header be fixed at once?
Not always. Some headers are trivial, while CSP and HSTS deserve phased rollout.
- Start with low-friction hardening.
- Treat high-impact browser policies as controlled changes.
Why do my origin headers not match public results?
A proxy or CDN is often rewriting the response.
- Trace the final edge response.
- Review middleware, reverse proxy, and CDN header policies together.