Before you go, check out these stories!

Hackernoon logoHow to Improve the Security of Your Netlify Site by@spekulatius

How to Improve the Security of Your Netlify Site

Author profile picture


Building side-projects and learning new stuff every day.

Recently I've rebuilt my blog,, using Eleventy and Netlify. Being an engineer, I like to enhance and improve my websites. Sometimes I submit my websites to services that check them to identify new areas of improvement. These services are for example broken link crawlers to find links which aren't working anymore or, a service to check the HTTP headers for potential security enhancements/issues.

The initial security assessment of my Netlify site

As with many times before, I entered one of my websites for the check of the security-relevant HTTP headers on The result came back quickly and showed there is a potential to improve the headers. Only Grade D according to Scott Helme's site:

Easy to improve with Netlify's _headers file

The outstanding Netlify developer experience makes it very easy to tweak the headers. Netlify allows you to set additional headers in a file called "_headers". This file should live in your "Publish directory". This is often called "public/", "dist/" or "_site". If you are unsure you can check it in the Netlify admin panel of your site under "Build & Deploy".

The headers file allows you to define headers for different URLs (for example "/contact") or URL segments (for example "/*" for all URLs) of your page. In my case it's very simple as I want to apply the headers to all pages (URLs):

 X-Frame-Options: DENY
 X-XSS-Protection: 1; mode=block
 Referrer-Policy: no-referrer
 X-Content-Type-Options: nosniff

`_headers`-file example used on

With these headers I get a significantly improved result and a "Grade A":

Securityheaders result of my website after tweaking _headers

Adding the header file to your git, pushing it up and deploying shouldn't take more than five minutes and improves the security of your website. I would think these are well invested minutes ๐Ÿ™๏ธ

About the Author

Hey, Iโ€™m Peter Thaleikis - a nomad developer turned indie hacker. Iโ€™m running a small dev-shop called bring your own ideas. If Iโ€™m not deep diving into client code Iโ€™m building side-projects such as the SEO Tool Extension and Startup Name Check. Iโ€™m always happy to hear from you: Twitter or via my contact form.

Previously published at


Join Hacker Noon

Create your free account to unlock your custom reading experience.