Secure your business website

Beyond email, your website also needs a few basic security settings. Here are the main ones and what they do.

HTTPS and redirect

Your site must be served over HTTPS (padlock), and any http:// visit must be automatically redirected to https://. Most hosts offer a free certificate (Let's Encrypt) in one click.

HSTS — force HTTPS

The Strict-Transport-Security header forces the browser to always use HTTPS, even if someone types the http address. This blocks certain interception attacks.

CSP — restrict scripts

The Content-Security-Policy header restricts where the browser can load code from, greatly reducing the risk of malicious script injection (XSS).

Anti-clickjacking and anti-sniffing

X-Frame-Options: DENY prevents your site from being embedded in a trap frame. X-Content-Type-Options: nosniff stops the browser from misinterpreting your files.

These headers are added in your server or host configuration (Apache, Nginx, Cloudflare, etc.).

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.