Breach Horizon
guides

Security headers explained for small business owners (2026)

Breach Horizon EditorialMay 19, 20264 min readReviewed by Laurens Vanhaecke

Last updated 2026-05-19.

Why security headers matter (and don't)

Almost every security scanner — including the free /security-headers tool on this site — grades your site on a handful of HTTP response headers. If you've ever run a scan and seen "F: Missing CSP" or "Warning: HSTS not present," you've met them.

The honest take: most of these headers don't stop attacks on their own. They're defense-in-depth — they raise the cost of a class of attack, or they limit blast radius if something else goes wrong. A missing header isn't usually a "you'll get breached tomorrow" finding. But a missing HSTS header on a site that handles logins or payments often is, because it allows a downgrade attack that strips HTTPS in transit.

This guide is the practitioner's translation of what each common header does, which ones are mandatory for an SMB website in 2026, and exactly what to paste into your nginx, Cloudflare, or Vercel config to set them.

The five headers that matter

1. Strict-Transport-Security (HSTS) — ship this first

HSTS tells the browser: "once you've connected to me over HTTPS, never accept HTTP for this host again, for the next N seconds." It defeats the single most common active-attack pattern on the public internet — the on-path TLS-stripping attack that downgrades a https://yoursite.com request to plain HTTP and harvests the session cookie or password.

If you ship one header on your site this year, ship this one. The cost is near-zero. The win is enormous. Minimum recommended config:

Strict-Transport-Security: max-age=31536000; includeSubDomains

If you're confident you can never accidentally serve subdomains over HTTP, add preload and submit to hstspreload.org — that bakes your domain into the browser HSTS list.

2. Content-Security-Policy (CSP) — nice to have, hard to get right

CSP is a whitelist of what the browser is allowed to load when it renders your page. Done well, it stops cross-site scripting (XSS) cold — the attacker's injected <script> won't execute because your CSP doesn't trust their domain.

Done badly, CSP breaks your site without anyone noticing until your analytics stops reporting or your forms stop submitting. Most SMB sites we look at have either no CSP or a CSP so permissive (script-src *) that it does nothing.

The honest position: a missing CSP isn't catastrophic for a static brochure site. It is genuinely important if you accept user input or run an authenticated app. Start with Content-Security-Policy-Report-Only for a few weeks — it logs violations without breaking the page, so you can see what your real third-party dependencies actually are before you enforce.

3. X-Frame-Options / frame-ancestors — clickjacking defense

X-Frame-Options: DENY (or its modern CSP equivalent, frame-ancestors 'none') prevents another site from embedding yours in an iframe. That blocks clickjacking — the attacker overlays your real login form on top of fake content and tricks the user into clicking. Low cost, high coverage. Always ship it unless you genuinely need to be embedded.

4. Referrer-Policy — privacy hygiene

When a visitor clicks a link from your site to another site, the browser tells the destination site where they came from. Referrer-Policy: strict-origin-when-cross-origin is the safest sensible default — it tells the browser to send the origin (no path, no query string) when crossing to another site, which prevents leaking sensitive URLs to third parties.

5. Permissions-Policy — disable what you don't use

Browsers default to allowing pages to request camera, microphone, geolocation, accelerometer, USB devices, and a long list of other capabilities. Permissions-Policy shuts off everything you're not using, which means a successful XSS still can't ask the browser to open the user's webcam.

For a brochure site that doesn't need any of these:

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

Copy-paste configs

Cloudflare

The easiest option. Go to Rules → Transform Rules → Modify Response Header and add a Static Rule that runs on every request to your hostname. Add each header with its value. Cloudflare ships the change in seconds. The big win: you don't have to touch your origin server.

nginx

Inside the relevant server { } block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
# Start in report-only mode while you learn what your site actually loads:
add_header Content-Security-Policy-Report-Only "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always;

The always keyword is the gotcha — without it, nginx skips the header on error responses, which means a 4xx still leaks.

Vercel

In your vercel.json:

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=(), usb=()" }
      ]
    }
  ]
}

What to do next

  1. Run the Security Headers Scanner on your apex domain and every active subdomain. Note the misses; if HSTS is missing, fix it this week.
  2. Pick the deployment surface you actually own — Cloudflare in front, your origin server, or your hosting platform's config — and paste the snippet above. Re-run the scan; you should see grades jump.
  3. Run the full Exposure Report to see how header coverage stacks up against your TLS, email auth, and credential exposure findings — and which of the three is hurting your overall score most.

If you'd rather have a security engineer walk through the findings and recommend the right hardening order for your specific stack, bring the report to your MSP or a qualified security consultant. Breach Horizon does not currently sell paid human reviews.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.