Magento security headers checklist
Which security headers matter on Magento stores and how to roll them out without breaking checkout or third-party scripts.
Headers your store should usually have
Security headers reduce browser-side risk and improve the public security posture of your store. They are not a substitute for patching, but missing headers often appear on scan reports.
- Strict-Transport-Security
- X-Content-Type-Options
- Content-Security-Policy
- Referrer-Policy
- Permissions-Policy
- Frame protection through CSP frame-ancestors or X-Frame-Options
Be careful with CSP
Content-Security-Policy is powerful, but a strict policy can break payment scripts, analytics, reviews, chat widgets and checkout. Roll it out in report-only mode first, review violations, then enforce.
Where to set headers
Headers can be set in nginx, Apache, Cloudflare or hosting control panels. For Magento, CDN-level headers are often easiest to maintain, but checkout exceptions need care.