All guides
Security5 min read

Magento security headers checklist

Which security headers matter on Magento stores and how to roll them out without breaking checkout or third-party scripts.

Headers your store should usually have

Security headers reduce browser-side risk and improve the public security posture of your store. They are not a substitute for patching, but missing headers often appear on scan reports.

  • Strict-Transport-Security
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy
  • Permissions-Policy
  • Frame protection through CSP frame-ancestors or X-Frame-Options

Be careful with CSP

Content-Security-Policy is powerful, but a strict policy can break payment scripts, analytics, reviews, chat widgets and checkout. Roll it out in report-only mode first, review violations, then enforce.

Where to set headers

Headers can be set in nginx, Apache, Cloudflare or hosting control panels. For Magento, CDN-level headers are often easiest to maintain, but checkout exceptions need care.

Next step

Got this problem on a live store?

Send the URL or book a call. You will get a practical answer on whether it needs a patch, an upgrade, emergency work or just a cleaner maintenance plan.