Guide

Missing Security Headers

A missing header does not mean your site is broken, but it does mean the browser is getting fewer safety instructions than it could.

01

What Missing Means

Missing simply means the final browser-facing response did not include that header. It might be absent in your app, removed by a proxy, or only configured for a different route.

Check the production URL people actually visit, including redirects. Header behavior can change between HTTP and HTTPS, www and non-www, or one path and another.

A header can be present on HTML pages but missing on APIs, static assets, or alternate hostnames. Decide which routes matter before treating every missing header as the same kind of problem.

02

Prioritize By Risk

For public sites, fix nosniff, clickjacking protection, referrer policy, and HTTPS enforcement early. They are useful and usually not painful to roll out.

For logged-in apps, admin pages, checkout flows, and dashboards, spend extra time on Content-Security-Policy and Permissions-Policy. Those pages usually carry more risk.

03

Check The Whole Delivery Path

If a header appears locally but not in production, look at the whole delivery path: framework, origin server, reverse proxy, CDN, and hosting platform.

Raw headers and JSON output are handy when you need to compare environments or show another developer exactly what changed.

04

Common Causes

Common causes include CDN rules overriding origin headers, middleware not running on every route, redirects landing on a different host, and hosting platforms applying defaults only to certain file types.

Another easy mistake is checking the wrong URL. HTTP, HTTPS, www, non-www, trailing slashes, and locale redirects can all lead to a different final response.

05

What To Fix First

If several headers are missing, start with the simple browser safety headers before enforcing CSP. A rushed CSP can break pages; nosniff and referrer policy are usually easier wins.

For authenticated apps, prioritize framing protection, HTTPS enforcement, and a careful CSP because those pages usually include more sensitive actions.

06

Example Fix Order

A simple marketing site might start with nosniff, a referrer policy, clickjacking protection, then HSTS after SSL and redirects are clean.

A logged-in app should also plan a CSP rollout. Use /content-security-policy-example or /fix-content-security-policy when you need a safer CSP starting point.

07

Useful Checks

Run /security-headers-checker to confirm which headers are missing on the final response.

If the result is confusing, check /redirect-checker to make sure you are landing on the expected URL and /ssl-checker before tightening HTTPS rules.

Next
Check the live response

Confirm which headers are present or missing.

Fix security headers

Use a practical rollout order for safer changes.

Troubleshoot header changes

Find why configured headers are not showing in production.

FAQ

Common questions

Does every page need the same headers?

Not always. A consistent baseline is easier to maintain, but sensitive pages usually need stricter policies than simple static pages.

Why did a header disappear after deployment?

A CDN, proxy, framework route, or hosting setting may be overriding headers. Check the final production response, not just the application code.

Is a missing CSP critical?

It depends on the site. CSP is important, but it needs careful testing because a bad policy can block real scripts, styles, images, or API calls.

Can a CDN remove my headers?

Yes. Some CDN and proxy setups replace, merge, or strip headers. Always check the final response users receive.

Should APIs send security headers?

APIs used by browsers should usually send useful headers such as nosniff and a referrer policy. APIs that never reach browsers may need a different baseline.

What if only one header is missing?

Fix it based on risk. Missing CSP may need careful testing, while missing nosniff or a referrer policy is often quicker to correct.