Security Headers Every Ecommerce Store Needs (And How to Add Them)

Your ecommerce store handles sensitive data — customer names, email addresses, payment information. Yet most store owners focus on SSL certificates and forget about the security headers that protect against an entire class of attacks.

Security headers are instructions your web server sends to browsers along with each page. They tell browsers what they're allowed to do — and more importantly, what they're not allowed to do. Without them, your site is more vulnerable to attacks that can steal customer data.

The 6 Security Headers That Matter

1. Strict-Transport-Security (HSTS)

This header tells browsers to always use HTTPS when connecting to your site. Without it, a visitor could accidentally access the HTTP version of your site, exposing data in transit. HSTS eliminates this risk entirely.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The max-age tells browsers to remember this rule for one year. The preload directive lets you submit your domain to browser preload lists, protecting visitors on their very first visit.

2. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls exactly which resources (scripts, styles, images, fonts) your page is allowed to load. This is your primary defense against XSS attacks — even if an attacker manages to inject malicious JavaScript, CSP prevents it from executing.

Start with a report-only policy to see what would be blocked, then tighten it over time:

Content-Security-Policy: default-src 'self'; script-src 'self' https://js.stripe.com; img-src 'self' data: https:;

3. X-Content-Type-Options

This simple header prevents browsers from "MIME-sniffing" — trying to guess the content type of a file. Without it, an attacker could upload a file disguised as an image that browsers execute as JavaScript.

X-Content-Type-Options: nosniff

4. X-Frame-Options

Prevents your site from being embedded in iframes on other domains. This protects against clickjacking attacks where attackers overlay invisible elements on your site to trick users into clicking malicious buttons.

X-Frame-Options: DENY

5. Referrer-Policy

Controls how much URL information is shared when visitors click links leaving your site. Without this, sensitive URL parameters (like order IDs or session tokens) could leak to third-party sites.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Disables browser features you don't need (camera, microphone, geolocation, etc.). This limits what third-party scripts can do on your site — important if you embed widgets or analytics tools.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Security Headers

On Cloudflare

Use Transform Rules or Workers to add headers globally. Cloudflare also has a one-click HSTS toggle in the SSL/TLS settings.

On Vercel

Add a headers array to your vercel.json or next.config.js — headers are set at the edge, before your code runs.

On Shopify

Shopify handles most security headers automatically. HSTS is enabled by default. You can add additional headers using a Cloudflare proxy in front of your custom domain.

On Apache (.htaccess)

Add Header directives to your .htaccess file:

Header always set Strict-Transport-Security "max-age=31536000"

On Nginx

Add add_header directives to your server block. Make sure they're applied to all locations.

Testing Your Headers

StoreVitals checks for all 6 security headers automatically during every scan. You'll see exactly which headers are missing and what to add.

For a quick manual check, visit securityheaders.com — it grades your site from A+ to F based on which headers are present.

Don't Ignore Security

Security headers cost nothing to implement and protect your customers from real attacks. If you're running an ecommerce store without them, you're leaving the door open for attackers. Scan your store to find out which headers you're missing.