Guide

Why Security Headers Are Not Working

If your code says a header is set but the live scan says it is missing, something in the delivery path is probably changing the final response.

01

You May Be Checking A Different URL

Headers can differ between http and https, www and non-www, root paths and app paths, or one locale route and another.

Use /redirect-checker to see the final URL, then scan that final response with /security-headers-checker.

02

A CDN Or Proxy May Be Overriding Headers

CDNs, reverse proxies, and hosting platforms can add, replace, or remove headers after your app sends a response.

If a header exists locally but not in production, check the CDN rules and any edge middleware before assuming the app code is wrong.

03

Middleware May Not Run Everywhere

Framework middleware can be route-specific. It may run for pages but not static assets, API routes, image routes, or error pages.

Check the route pattern and make sure the middleware covers the paths you care about.

04

Redirects Can Hide The Real Response

A header on the first response does not always appear on the final response. Browsers care about the final page they load after redirects finish.

Long redirect chains also make debugging harder. Clean up the chain before judging whether headers are working.

05

Examples

Example one: your app sets HSTS, but users land on a CDN-hosted www URL that does not include it. The fix is to add the header at the CDN or canonical host.

Example two: CSP works on /dashboard but not /. The middleware may only match app routes, or a static hosting rule may be serving the homepage directly.

Next
Check the final URL

See where the browser lands before checking headers.

Scan security headers

Check the response users actually receive.

Fix the header setup

Work through the safer fixes in order.

FAQ

Common questions

Why does my header show locally but not in production?

Production often includes a CDN, proxy, or hosting layer that can change headers after your app sends them.

Do redirects keep security headers?

Not automatically. Each response has its own headers. Check the final response after redirects.

Can browser cache affect header checks?

HeaderCheckr fetches the live response server-side, so it is not using your browser cache. CDN cache can still affect what the server returns.

What should I check first?

Check the final URL, then the CDN/proxy layer, then route-specific middleware or hosting rules.