Skip to main content
mySites.guru

JCE Profiles Hack (13th June): Attackers are actively targeting Joomla sites that run JCE. Track down the rogue profiles and webshells they leave behind, on every site you manage.

Check your site's security headers

Check your site's security headers

Your web server can send a handful of HTTP response headers that make life harder for attackers. Spoofing, XSS, clickjacking: these headers won’t stop everything, but they raise the bar. mySites.guru checks eight of them on every snapshot, twice a day.

Which eight headers does mySites.guru check?

  • Content-Security-Policy - controls which resources the browser is allowed to load
  • Expect-CT - enforces Certificate Transparency requirements
  • Feature-Policy - flagged if present (this header is deprecated)
  • Permissions-Policy - the replacement for Feature-Policy
  • Referrer-Policy - controls how much referrer info is sent with requests
  • Strict-Transport-Security - forces HTTPS connections
  • X-Content-Type-Options - prevents MIME-type sniffing
  • X-Frame-Options - protects against clickjacking

⚠️ Headers alone won't save you

Security headers are best practice, not a silver bullet. Learn about them and apply them where possible, but don't assume they make your site bulletproof.

mySites.guru security header check results showing pass/fail status for each header

What does each header actually do?

Content-Security-Policy (CSP)

CSP tells the browser which domains are allowed to serve scripts, styles, images, and other resources on your page. Without it, an attacker who finds an XSS hole can inject a script from anywhere and the browser will run it without question.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

That says: only load resources from my own domain, only run scripts from my domain or my CDN, block everything else. Getting CSP right is fiddly. Too strict and you break your own site. Too loose and it’s decoration. But even a basic policy beats having none.

Strict-Transport-Security (HSTS)

HSTS tells browsers to only connect over HTTPS, even if someone types http:// or clicks an old HTTP link. Without it, the very first request can be intercepted before the redirect to HTTPS kicks in.

Strict-Transport-Security: max-age=31536000; includeSubDomains

max-age is in seconds. 31536000 is one year. Once a browser sees this, it won’t even try HTTP for that long. includeSubDomains covers your subdomains too.

X-Frame-Options

X-Frame-Options prevents your site from being loaded inside an iframe on someone else’s domain. Why care? Clickjacking. An attacker loads your site in a hidden iframe, overlays it with something innocent-looking, and tricks users into clicking buttons on your site without realising it - changing passwords, making purchases, whatever.

X-Frame-Options: SAMEORIGIN

SAMEORIGIN means your own site can still iframe itself (useful for admin panels and previews) but nobody else can. DENY blocks all framing, including from your own domain.

Content-Security-Policy vs X-Frame-Options

CSP has a frame-ancestors directive that does the same job as X-Frame-Options, and it’s more flexible. But older browsers don’t support frame-ancestors, so the recommendation is to set both. They don’t conflict - browsers that understand CSP use frame-ancestors, older ones fall back to X-Frame-Options.

X-Content-Type-Options

Browsers sometimes try to be clever and “sniff” the content type of a response instead of trusting the Content-Type header. An attacker can exploit this by uploading a file that looks like an image but contains JavaScript - the browser sniffs it, decides it’s a script, and executes it.

X-Content-Type-Options: nosniff

One value. Tells the browser to trust the declared content type and stop guessing. Just set it.

Referrer-Policy

When someone clicks a link from your site to another site, the browser sends a Referer header (yes, the HTTP spec misspelled “referrer” in 1996 and we’re stuck with it) telling the destination where the click came from. That can leak URL paths, query parameters, or session tokens you’d rather keep private.

Referrer-Policy: strict-origin-when-cross-origin

strict-origin-when-cross-origin sends just the origin (https://yoursite.com) on cross-origin requests but strips the path. Same-origin navigations still get the full URL, so your own analytics aren’t affected.

Permissions-Policy

Permissions-Policy controls which browser APIs your site can use: camera, microphone, geolocation, payment, autoplay, and plenty more. If you don’t use the camera, disable it. If someone manages to inject code into your page, they still can’t turn on the webcam.

Permissions-Policy: camera=(), microphone=(), geolocation=()

Empty parentheses () means “nobody, not even this page.” You can also allow specific origins if you need them.

This header replaced the older Feature-Policy header. If your site still sends Feature-Policy, mySites.guru will flag it - you should switch to Permissions-Policy instead.

Expect-CT

Expect-CT was supposed to ensure that certificates for your domain show up in Certificate Transparency logs, catching misissued or rogue certs.

Browsers have made this header redundant. Chrome dropped Expect-CT support entirely, and other browsers enforce Certificate Transparency by default now. mySites.guru still checks for it, but this one’s a footnote. Focus on the other seven.

How do you check your headers without an account?

If you want a quick standalone check, securityheaders.com is a good tool. We link to it throughout the mySites.guru snapshot checks too.

securityheaders.com scan results showing header grades and recommendations

Headers are one layer of defence. For file-level detection of existing compromises, the suspect content tool scans your entire webspace for malware, backdoors, and suspicious code patterns. Headers are one of over 140 things mySites.guru checks on each site, from file-level security audits to PHP config to SSL certificates. All visible from your dashboard.

Security headers are covered in our full agency security guide.

Frequently Asked Questions

Which HTTP security headers does mySites.guru check?
mySites.guru checks eight headers on every snapshot: Content-Security-Policy, Expect-CT (deprecated - browsers now enforce Certificate Transparency by default), Feature-Policy (flagged if present, since it's been replaced by Permissions-Policy), Permissions-Policy, Referrer-Policy, Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options.
How often does mySites.guru check my site's security headers?
Security header checks run as part of the site snapshot, which is taken twice a day automatically and can also be triggered on demand.
Will having correct security headers fully protect my site?
No - security headers are best practice and help defend against XSS and clickjacking, but no single header alone will prevent a compromise.

More from the blog

Quick Snapshot of All Your Sites

Quick Snapshot of All Your Sites

The mySites.guru snapshot runs 140+ best-practice checks - PHP version, CMS config, security headers, SSL and more - twice a day on every connected site.
How to Check Your Joomla Database Security with mySites.guru

How to Check Your Joomla Database Security with mySites.guru

Your Joomla database might be running with the default jos_ prefix, a root user, or excessive privileges. Here's how to flag each issue and fix it.
Snapshot vs Audit: What's the Difference?

Snapshot vs Audit: What's the Difference?

mySites.guru checks your sites two ways: quick snapshots of config and settings, and deep audits that scan every file. Here's when to use each.

What our users say

Krisztina
Krisztinafreelancer Joomla! dev
★★★★★

I've been using mySites.guru since 2015 - with the Audit tool, I was able to clean up a server with several hacked Joomla! websites. Then I started to discover other tools and I do the maintenance of 74 sites. Core and component updates take minutes on all of them, scheduled automatic backups and best practices keep data safe, ensuring peaceful sleep ;) Phil is responsive, I always got help when I needed, even if it was not strictly an issue with the service. Pricing is flexible, this has been my best investment ever. I could not live/work without it.

Read more reviews
Accredited Design LLC
Accredited Design LLCManaging Member
★★★★★

I've been with mySites.guru for years now, and it's a central function of my business. Managing multiple site updates at once has saved me untold hours of work to have otherwise needed to login to many sites individually. The other tools to remove unnecessary files, automate backups of websites and scan for malicious code are also extremely helpful. On many occasions, timely warnings from Phil Taylor about security holes in components, plugins and core CMS updates have saved me a lot of grief before bad things happened to my websites. When bad updates have already broken my websites, Phil was always two steps ahead and has surgically accurate information readily available to fix them. Sure, there are other similar services and self-hosted solutions out there, but having all of the things I've mentioned in one place and on one control panel are worth the price of admission in my book. Thank you Phil for all your hard work and for the service you provide to the Joomla and Wordpress communities!

Read more reviews

Read all 191 reviews →

Ready to Take Control?

Start with a free site audit. No credit card required.

Get Your Free Site Audit