HTTP Response Headers Every Ecommerce Store Should Configure

HTTP response headers are metadata that servers send back with every web response. They tell browsers how to handle the content: whether to cache it, how long to keep it, which security policies apply, and how to handle HTTPS. Most ecommerce stores have incomplete or misconfigured headers. This isn't just a security issue — caching headers directly affect performance and Google's crawl efficiency.

Security Headers That Matter

Strict-Transport-Security (HSTS)

Tells browsers to always use HTTPS for your domain, even if a user types http://. Without this, a user clicking a saved HTTP bookmark or following an HTTP link gets a redirect that could theoretically be intercepted.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Shopify sets this automatically. WooCommerce stores need to configure it at the server level (nginx/Apache/Cloudflare).

Content-Security-Policy (CSP)

Defines which origins can load scripts, styles, images, and other resources on your page. Prevents cross-site scripting (XSS) attacks by blocking injected scripts from unauthorized origins.

CSP is the most complex header to configure because it requires knowing every third-party origin your store loads. A strict starting point for stores using common marketing tools:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.google-analytics.com *.googletagmanager.com *.facebook.net cdn.klaviyo.com; img-src 'self' data: *; connect-src 'self' *.google-analytics.com *.facebook.com

Use report-only mode first (Content-Security-Policy-Report-Only) to identify what you'd break before enforcing it.

X-Content-Type-Options

Prevents MIME-type sniffing attacks, where browsers guess the content type and execute malicious content uploaded as innocuous files.

X-Content-Type-Options: nosniff

Simple, no downside, should be on every store.

X-Frame-Options

Prevents your store from being embedded in iframes on other sites — the vector for clickjacking attacks where users are tricked into clicking UI elements they can't see.

X-Frame-Options: SAMEORIGIN

If you use iframes yourself (embedded widgets, payment iframes), use SAMEORIGIN instead of DENY.

Referrer-Policy

Controls how much referrer information is sent when users navigate from your site to another. Important for privacy and for preventing internal URL structures from leaking to third parties.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls which browser features the page can access: camera, microphone, geolocation, payment APIs. Restricting this protects users from third-party scripts requesting unnecessary permissions.

Permissions-Policy: camera=(), microphone=(), geolocation=()

Performance Headers

Cache-Control

The most impactful performance header. Tells browsers and CDNs how long to cache a resource.

• Static assets (images, CSS, JS with content-hashed filenames): max-age=31536000, immutable — cached for a year, never re-fetched unless the URL changes
• HTML pages: no-cache or max-age=0, must-revalidate — always validate freshness before serving from cache
• Product pages with inventory: max-age=300, s-maxage=3600 — 5 minutes in browser, 1 hour on CDN with backend revalidation

ETag and Last-Modified

Conditional caching headers. ETag is a version identifier; Last-Modified is a timestamp. When a browser has a cached version and needs to revalidate, it sends the ETag or Last-Modified value and the server responds with either 304 Not Modified (serve from cache) or a fresh copy. This makes revalidation free for unchanged content.

Vary

Tells CDNs which request headers affect the response. Vary: Accept-Encoding means the CDN stores separate cached versions for gzip and br compressed responses. Essential for CDNs to serve correct compressed versions to different clients.

Content-Encoding

Confirm your server is serving compressed responses. Check for Content-Encoding: gzip or Content-Encoding: br (Brotli). Brotli is 15-25% more efficient than gzip. Most modern CDNs (Cloudflare, Vercel, Netlify) enable both automatically.

How to Check Your Headers

Use StoreVitals' free HTTP Headers Inspector to see all headers returned by your store. It groups them by category (security, caching, content, server) and shows your security header coverage as a percentage.

Also check with StoreVitals' Security Headers Checker for a graded assessment of your security posture, with specific recommendations for missing headers.

Platform Notes

Shopify: Sets HSTS, X-Content-Type-Options, and basic security headers automatically. CSP is limited by theme complexity. Third-party app scripts make strict CSP difficult. Use Shopify's Content Security Policy nonce system in themes for custom scripts.

WooCommerce: Requires manual server configuration. Use Cloudflare to add headers via Transform Rules (free tier available). Or configure via .htaccess (Apache) or nginx.conf.

Vercel/Next.js: Configure headers in next.config.js under the headers() function.

A weekly StoreVitals scan monitors your security headers across your entire store. Theme updates and app installations can remove or override headers — weekly monitoring catches these regressions before they become security incidents.