What Are HTTP Response Headers?
Every time a browser requests a page, the server responds with the content and a set of HTTP headers — key-value pairs that tell browsers and search engine crawlers how to handle the response. Headers affect SEO, security, and performance in ways invisible to end users but critical to how Google treats your site.
Security Headers You Should Have
- Strict-Transport-Security (HSTS) — Forces HTTPS even if a user types http://. Google treats HTTPS as a ranking signal.
- Content-Security-Policy (CSP) — Restricts which scripts, styles, and resources can load. Prevents XSS attacks.
- X-Frame-Options — Prevents your page being embedded in iframes on other domains, blocking clickjacking.
- X-Content-Type-Options — Prevents MIME confusion attacks.
- Referrer-Policy — Controls how much referrer information is passed when linking to external sites.
- Permissions-Policy — Restricts browser API access (camera, microphone, geolocation) for your page.
Headers That Affect SEO & Performance
- Cache-Control —
max-age=31536000for static assets dramatically reduces load time for repeat visitors. - Content-Type — Must be set to
text/html; charset=UTF-8for Google to parse your page correctly. - ETag / Last-Modified — Conditional caching headers let browsers revalidate cached content efficiently.
- Server — Consider masking this (e.g. removing nginx/Apache version info) for security.
- CF-Cache-Status — Shows whether Cloudflare CDN served the response from cache.