TransitPacket

Reading HTTP Security Headers: What to Check Before You Bill a Client

A fast reference for freelance IT consultants and small MSPs: the five HTTP security headers worth checking on any client site, what each protects against, and how to explain a finding without causing a panic.

Security headers are one of those things that are invisible until someone asks about them — and then you're expected to have an answer. A client's cyber-insurance renewal asks about them, a prospective customer's procurement checklist asks about them, or you're just doing your job properly and want to know what a site is and isn't protected against. This is the reference for that: five headers worth checking, what each one actually does, and how to talk about what you find without starting a panic.

Run the domain through Headers Checker first, then work through this list.

Strict-Transport-Security (HSTS)

What it protects against: tells the browser to only ever connect to this site over HTTPS — never plain HTTP — even if an old bookmark or link points to the http:// version. Without it, there's a brief window on a user's first visit (or any stale link) where the connection could start unencrypted before a redirect kicks in.

What missing or misconfigured looks like: no header at all is the most common gap. Present-but-weak usually means a very short max-age (offering almost no real protection) or a missing includeSubDomains when the client actually has subdomains that need the same coverage.

Content-Security-Policy (CSP)

What it protects against: the single most effective defense against cross-site scripting (XSS) — an attacker sneaking malicious script onto the page through a compromised ad, a vulnerable plugin, or an unsanitized input field. CSP tells the browser exactly which sources of scripts, styles, and other content are allowed to load.

What missing or misconfigured looks like: no CSP at all is extremely common — most small business sites don't have one, and that's a real gap worth noting, not automatically a five-alarm fire. Worse than missing is a policy so permissive it does nothing (default-src *), since it gives false confidence without any actual protection.

X-Frame-Options

What it protects against: clickjacking — tricking a user into clicking something on this site while it's invisibly loaded inside an attacker's page via an <iframe>. This matters most on sites with a login form or anything a user could be tricked into interacting with.

What missing or misconfigured looks like: missing entirely means the site can be framed by anyone, anywhere. A non-standard value like ALLOWALL defeats the purpose just as completely as having no header at all.

X-Content-Type-Options

What it protects against: the browser trying to guess ("sniff") a file's type from its content instead of trusting the declared type — a narrow but real path for tricking a browser into treating malicious content as something harmless.

What missing or misconfigured looks like: there's no real middle ground here — it's either present with the value nosniff, or it's missing. Of everything on this list, this is the simplest one to just turn on and never think about again.

Referrer-Policy

What it protects against: controls how much of the current page's URL gets sent to the next site when someone clicks a link away from it — relevant for privacy, since a full referrer can leak internal URLs, search terms, or session-identifying paths to third parties.

What missing or misconfigured looks like: missing means browsers default to sending the full referring URL to every link clicked, including external sites — usually a low-priority finding rather than urgent. Misconfigured mostly means an overly permissive value like unsafe-url, which leaks more than intended.

How to explain this to a client without causing a panic

Most small business owners don't know what a CSP is, and they don't need to. If you found something missing, how you frame it matters as much as what you found:

  • Lead with the plain-language risk, not the header name. "Your site doesn't currently have a setting that helps protect against a specific type of attack where someone tricks a browser into loading malicious code" lands very differently than "you're missing Content-Security-Policy."
  • Be honest about severity, and don't flatten every finding into the same urgency. A missing CSP on a static brochure site with no login form and no user input is a real gap, but a low priority one. A missing X-Frame-Options on a site with a client login page is worth fixing soon. Say which is which.
  • Frame it as a checklist item, not a crisis. "This is one of the things I check on every site I work on — this one's worth tightening up when we have time" reads very differently than opening with "I found a security problem."
  • Have a next step ready. A finding without a clear, scoped fix just creates anxiety. Know roughly what the fix looks like (usually a config change at the hosting or CDN level) before you bring it up.

Bookmark this page — it's built to be the reference you pull up any time you need to check a client's security headers, not something you read once.

FAQ

Do I need to explain every one of these headers to the client?

No — most clients don't need or want a header-by-header explanation. Summarize findings in plain language, and only go deeper if they specifically ask. Save the technical detail for whoever actually implements the fix, usually their host or developer.

A client's site is missing most of these — is that normal?

More often than not, yes, especially on smaller or older sites that were never audited for this. These headers require someone to have deliberately configured them, and a lot of hosting setups don't turn any of them on by default. Missing headers are a finding worth noting, not automatically a sign something is badly wrong.

How does this fit with the other guides?

This is the header-specific companion to the DNS Records checklist — both are deeper references for pieces of the fast 10-Minute Network Health Check you'd run when first onboarding a client. Pull this one out any time you're specifically reviewing a site's security configuration, not just at kickoff.