Skip to main content
Netlify Security Guide
Q&ANetlify

Does Netlify add security headers?

Netlify does not add security headers automatically. You must configure them manually through a _headers file or netlify.toml configuration. Without explicit configuration, your Netlify site will be missing Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy headers. These missing headers leave your site vulnerable to XSS attacks, clickjacking, and MIME-type sniffing. Many developers deploying to Netlify skip this step entirely. UNPWNED scans your Netlify deployment and reports exactly which security headers are missing with ready-to-use configuration snippets.

Check your Netlify app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Is Netlify secure by default?How to secure a Netlify site?

More Netlify Security Questions

Is Netlify secure by default?Are Netlify environment variables safe?How to secure a Netlify site?Are Netlify Functions secure?Does Netlify expose source code?Can Netlify deploy previews be exploited?