Guide

5 security headers every Nigerian business website needs

April 2026 | 7 min read

Your website talks to browsers every time someone visits. Along with the page content, it sends invisible instructions called HTTP headers. These headers tell the browser how to handle your site securely.

Most Nigerian business websites send none of these security headers. That means the browser has to guess, and it usually guesses wrong. Here are the 5 headers you need and why each one matters.

1. Content-Security-Policy (CSP)

Stops hackers from injecting malicious scripts

Without CSP, any script can run on your page. An attacker who finds a way to inject JavaScript can steal form data, redirect customers to fake pages, or install malware. CSP tells the browser: "Only run scripts from sources I explicitly trust."

Content-Security-Policy: default-src 'self'; script-src 'self'

CSP is the most important security header. It is also the one that is missing from 96% of Nigerian business websites we scanned.

2. Strict-Transport-Security (HSTS)

Forces encrypted connections

HSTS tells browsers: "Always use HTTPS, never HTTP." Without it, someone on the same Wi-Fi network (a coffee shop, a co-working space, a hotel) could intercept your customers' traffic. HSTS makes downgrade attacks impossible.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Having an SSL certificate is not enough. HSTS makes sure the browser always uses it, even if someone types "http://" instead of "https://".

3. X-Frame-Options

Prevents clickjacking attacks

Without this header, an attacker can embed your website inside a transparent frame on their own page. The victim thinks they are clicking buttons on the attacker's site, but they are actually clicking on yours. This is how people get tricked into making payments or changing account settings.

X-Frame-Options: DENY

4. X-Content-Type-Options

Prevents file type confusion

Browsers sometimes try to "guess" what type of file they are receiving. An attacker can upload a file that looks like an image but is actually a script. This header tells the browser: "Don't guess. Use the file type I told you."

X-Content-Type-Options: nosniff

5. Permissions-Policy

Blocks access to camera, microphone, and location

By default, any script on your page can request access to your visitors' camera, microphone, and GPS location. A malicious script injected into your page could silently activate these. Permissions-Policy shuts them off unless you explicitly need them.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to add these headers

The exact method depends on your hosting setup:

Cloudflare Pages: Create a _headers file in your public folder
Nginx: Add add_header directives to your server block
Apache: Add headers in your .htaccess file
WordPress: Use a security plugin like "Headers Security Advanced & HSTS WP"

It takes about 30 minutes for a developer to add all 5. The difference between an F-grade site and an A-grade site is usually just these headers.

Check your website now

Find out which headers you are missing. Free, instant scan.

Scan on Securva

If you need help adding these headers, reach out to Pejji. Every site we build includes all 5 headers from day one.