What Are Security Headers and Why Does Google Care About Them?

← Back to all posts

When we audit small business websites, one finding comes up more than almost any other: zero security headers. Not one, not two -- zero out of six.

Most business owners have never heard of security headers. Their web developer probably hasn't mentioned them either. But Google considers your website's security as part of its page experience evaluation.

What Are Security Headers?

Security headers are instructions your website sends to visitors' browsers, telling them how to handle your content safely. Think of them as rules that protect your visitors (and your website) from common attacks.

There are six key security headers that matter:

1. Strict-Transport-Security (HSTS)

Tells browsers to always use HTTPS when connecting to your site. Without it, someone could intercept the connection before the HTTPS redirect kicks in.

2. X-Frame-Options

Prevents other websites from embedding your site inside a frame (iframe). Without it, attackers can create fake pages that overlay yours -- known as clickjacking.

3. X-Content-Type-Options

Stops browsers from guessing what type of content a file is. Without it, an attacker could trick the browser into running a malicious file as a script.

4. Content-Security-Policy (CSP)

Controls which resources (scripts, images, fonts) your page is allowed to load. The most powerful security header -- it prevents most cross-site scripting (XSS) attacks.

5. Referrer-Policy

Controls how much information about where a visitor came from is sent to other sites. Protects your visitors' privacy.

6. Permissions-Policy

Controls which browser features (camera, microphone, location) your site can access. Prevents malicious scripts from activating your visitors' devices.

Why Does Google Care?

Google has stated that page experience is part of their ranking system. Security is part of page experience.

HTTPS has been a confirmed ranking signal since 2014. Security headers go beyond HTTPS -- they show Google (and your visitors) that you take security seriously.

More practically: Google Chrome actively flags security issues. If a visitor sees a security warning, they leave. That increases your bounce rate and tells Google your site provides a poor experience.

How to Check Yours

Run this in a terminal: ``` curl -sI https://yourwebsite.com | grep -i "strict-transport\|x-frame\|x-content\|content-security\|permissions-policy\|referrer-policy" ```

If you see nothing, you have no security headers.

How to Fix It

If you're on nginx, add these lines to your server block:

``` add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; ```

Content-Security-Policy is more complex and depends on your site. Start with the other five -- they're copy-paste.

On Apache, use the `Header set` directive. On WordPress, plugins like "Headers Security Advanced" can add them without touching server config.

The whole process takes about 30 minutes. Zero cost. Immediate improvement.

We Check This in Every Audit

Every SEO Rank Masters report includes a security header check. We test all six headers and tell you exactly which are missing and how to add them.

It's one of the most common quick wins we find -- and one of the easiest to fix.

*Check your security headers and everything else. [Get your SEO audit](https://seorankmasters.com) -- from GBP 29.*