What Are Security Headers and Why Does My Website Score Zero?

If you've just run a website audit and seen a score of 0 out of 100 for security headers, you're not alone. It's the most common failing score we see across every website we audit at AuditMy.co.uk — and the good news is it's almost always fixable without touching a single line of your website's content.

What are security headers?

Security headers are invisible instructions your web server sends to visitors' browsers every time someone loads your website. They tell the browser how to handle your content safely — which scripts are allowed to run, whether your site can be embedded in another page, and whether to always use an encrypted connection.

Your visitors never see them. But browsers, Google, and anyone running a security check on your site absolutely do.

Think of them like this: Security headers are the safety instructions a building gives to visitors before they enter — most people never read them, but they're there to protect everyone if something goes wrong.

Why does my site score zero?

A score of zero means none of the six standard security headers are present on your website. This is more common than you'd think — most website builders, WordPress themes, and hosting providers don't add these by default.

It doesn't mean your site has been hacked or compromised. It just means the protective instructions aren't there yet.

The six missing headers that cause a zero score are:

1 Content-Security-Policy

Tells browsers which sources of scripts, images, and fonts are allowed to load on your pages. Without it, there's no browser-level barrier against malicious code being injected into your site.

2 Strict-Transport-Security

Instructs browsers to always connect to your site using the secure HTTPS connection, even if someone types your address without it. Your site might already use HTTPS, but without this header that protection can be bypassed under certain conditions.

3 X-Frame-Options

Stops your site from being secretly embedded inside another website in a hidden frame — a technique used in clickjacking attacks, where visitors are tricked into clicking things they didn't intend to click.

4 X-Content-Type-Options

Prevents browsers from guessing what type of file they're loading. Without it, a browser might misinterpret a file and execute something it shouldn't.

5 Referrer-Policy

Controls how much information about your site is shared with other websites when a visitor clicks an external link. Without it, more data than necessary may be passed to third parties.

6 Permissions-Policy

Lets you restrict whether browser features like the camera, microphone, or location services can be activated on your pages — even if your site never uses them.

Does a zero score mean my site has been hacked?

No. A zero score for security headers means the protective instructions aren't in place, not that anything has gone wrong yet. Think of it like a car without a seatbelt — it doesn't mean you've been in a crash, it means you're less protected if one happens.

That said, it's worth fixing. Security-conscious customers, business clients, and Google all look at these signals when deciding whether to trust your site.

How do I fix it?

The fix depends on how your site is built.

WordPress

If you're on WordPress

Install a reputable security plugin such as Solid Security (formerly iThemes Security) or Wordfence. Both have free tiers and include a security headers feature that lets you enable all six headers with a single toggle. No coding required.

Alternatively, if your site runs through Cloudflare (many do), you can add security headers directly from your Cloudflare dashboard under the Transform Rules section.

Developer

If you have a developer

Ask them to add the headers at the server level — either in your Apache .htaccess file or your Nginx server configuration. This is the most robust approach and takes an experienced developer around 30 minutes.

How do I verify it's worked?

Once the headers have been added, visit securityheaders.com and enter your website address. You should see a green grade of A or B.

If you're still seeing red, share the results with your developer and they'll be able to see exactly which headers are still missing.

Or run a full audit: AuditMy checks your security headers alongside your SSL, DNS, SEO, and performance in one go — and gives you a plain-English PDF report explaining what's missing and exactly how to fix it.

Will fixing security headers improve my Google ranking?

Not directly — Google doesn't use security headers as a direct ranking factor. But there are indirect benefits:

A higher overall audit score signals a better maintained, more trustworthy site
Security-conscious business clients who check your site before hiring you will see a passing grade instead of a zero
Some security headers (particularly HSTS) reinforce your HTTPS setup, which Google does factor into rankings

The biggest reason to fix them is customer trust, not SEO — but the two are closely linked for local service businesses.

What are security headers and why does my website score zero?