Security
Website security headers explained
HSTS, CSP and the headers that improve trust, SEO and protection against common attacks.
Need help with this? Talk to our Cyber Security team
Start with the basics
At minimum, serve your site over HTTPS with HSTS, X-Content-Type-Options, X-Frame-Options and Referrer-Policy. These reduce clickjacking, MIME sniffing and accidental HTTP downgrade issues.
Check what you already have
Use the site check and security scan tools to see which headers are present and which are missing. Hosting panels and CDNs often add some automatically, but not all.
Improve over time
Content-Security-Policy is the most powerful header but needs tuning for analytics, fonts and embeds. Add it carefully in report-only mode first if your site uses third-party scripts.
Related service
This is part of our Cyber Security service for Melbourne businesses.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides

Cyber insurance requirements for Australian SMBs
What Australian small businesses are typically asked before cyber insurance is approved — MFA, backups, email security — and how to prepare without panic.
- Why insurers ask technical questions
- Controls insurers commonly expect

MFA for business teams
Why every account needs a second factor — and how to roll it out without locking staff out on Monday morning.
- Passwords are not enough
- Choose the right methods