Are your security headers properly configured?
HSTS, CSP, X-Frame-Options — security headers protect your website and your users. Compliso automatically checks whether they are present and correctly configured.
Why Security Headers Matter
Security headers are HTTP response headers that tell the browser how to behave. They are one of the simplest and most effective measures against common attacks like XSS, clickjacking, and man-in-the-middle.
Under Art. 32 GDPR, you are required to implement appropriate technical measures to protect personal data. Security headers are the absolute minimum. Yet they are missing on the majority of European websites.
78%
of websites without CSP
53%
without Referrer-Policy
1 min
to fix it
What Compliso Checks
6 security checks — automatically with every scan.
Strict-Transport-Security (HSTS)
CriticalWhat it does
Enforces HTTPS connections and prevents browsers from falling back to HTTP.
Risk without it
Without HSTS, attackers can intercept traffic via man-in-the-middle attacks. Particularly dangerous on public WiFi networks.
GDPR relevance
Art. 32 GDPR requires appropriate technical measures to protect personal data. Transport encryption is a baseline requirement.
Content-Security-Policy (CSP)
HighWhat it does
Defines which resources (scripts, styles, fonts) may be loaded from which sources.
Risk without it
Without CSP, attackers can inject malicious code (Cross-Site Scripting / XSS). XSS is the most common web application vulnerability according to OWASP.
GDPR relevance
A successful XSS attack can lead to theft of session cookies and personal data — a reportable data breach under Art. 33 GDPR.
X-Frame-Options
MediumWhat it does
Prevents your website from being embedded in iframes on other sites.
Risk without it
Without this header, attackers can perform clickjacking attacks: users click on invisible elements of your website overlaid on a fake page.
GDPR relevance
Clickjacking can be used to manipulate consent decisions or trigger form submissions.
X-Content-Type-Options
MediumWhat it does
Prevents browsers from guessing the MIME type of files (MIME sniffing).
Risk without it
Without this header, attackers could execute a JavaScript file disguised as an image.
GDPR relevance
Another attack vector that, combined with other vulnerabilities, can lead to data exfiltration.
Referrer-Policy
MediumWhat it does
Controls which URL information is passed to external sites.
Risk without it
Without a Referrer-Policy, URLs with sensitive parameters (e.g. tokens, session IDs) can be leaked to third parties.
GDPR relevance
URLs can contain personal data. Sharing them with third parties without a legal basis is a GDPR violation.
Mixed Content Detection
HighWhat it does
Checks whether HTTPS pages load unencrypted HTTP resources.
Risk without it
Mixed content undermines HTTPS encryption. Images, scripts, or stylesheets loaded over HTTP can be manipulated.
GDPR relevance
When tracking pixels or forms are loaded over HTTP, personal data is transmitted unencrypted.
Implementation Is Simple
Compliso scans your website
The scanner sends an HTTP request and automatically analyzes all response headers.
You receive concrete recommendations
For each missing header, you get an explanation and the recommended configuration.
Set headers (1 line per header)
In Apache, Nginx, or your hosting panel: each header is a single configuration line.
Next scan confirms the fix
During the next automated scan, Compliso verifies that the headers are correctly set.
Security check in seconds
Find out which security headers your website is missing — and how to set them up in minutes.