WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

Which security header should I deploy first?

Start with the safest baseline: X-Content-Type-Options, a deliberate Referrer-Policy, secure cookie flags, and a staged CSP rollout. HSTS is powerful but should only be enforced once HTTPS is stable everywhere you need it.

Can a strong CSP replace application security testing?

No. CSP reduces browser-side execution risk, but it does not replace code review, dependency hygiene, DAST, authentication checks, or remediation workflows.

Should SMEs care about Permissions-Policy?

Yes. Even simple websites benefit from explicitly disabling browser capabilities they do not use. It is a low-cost way to reduce unnecessary exposure.

How often should headers be rechecked?

Recheck them after deployments, when third-party scripts change, and on a recurring monitoring schedule. Header posture drifts quietly over time if nobody owns it.

Security Headers Checklist — Production Baseline for SMEs

Why security headers still matter

Security headers are one of the rare hardening controls that improve your baseline immediately without rewriting your product. They tell the browser how to treat your pages, your cookies, your framing policy, and your external resource loading rules.

For SMEs, headers are especially valuable because they reduce common classes of mistakes that appear during fast product iteration: permissive framing, mixed content, weak cookie settings, accidental script inclusion, and unbounded third-party integrations. They do not replace secure code, but they reduce blast radius when something slips through.

The operational goal is not to chase a perfect score on a public benchmark. The goal is to run a small, stable header baseline that fits your stack, survives deployments, and is verified continuously instead of being configured once and forgotten.

Recommended production baseline

A strong SME baseline starts with a short set of headers that each have a clear operational purpose. Keep the policy understandable for your team and version it like any other production configuration so changes are reviewed and reversible.

Content-Security-Policy: restrict script, style, connect, image, and frame sources to known origins, then tighten progressively.
Strict-Transport-Security: enforce HTTPS with a long max-age only after you are sure every subdomain can serve HTTPS safely.
X-Content-Type-Options: nosniff: prevent MIME confusion for scripts and styles.
Referrer-Policy: reduce unnecessary data leakage while preserving analytics use cases where justified.
Permissions-Policy: disable browser capabilities you do not explicitly need, such as camera, microphone, geolocation, or interest-cohort style features.
Set-Cookie flags: use Secure, HttpOnly, and SameSite with explicit intent on session cookies.
Frame protections: use frame-ancestors in CSP or X-Frame-Options where legacy compatibility is required.

How to deploy headers without breaking production

The most common mistake is shipping an ambitious CSP in enforcement mode without knowing what your frontend actually loads. A safer rollout pattern is to inventory your first-party and third-party origins, deploy a report-friendly version in staging, remove noise, and only then enforce on production.

Treat headers as an application contract. If marketing scripts, analytics, chat widgets, payment providers, or AI vendors are introduced, the header baseline must be reviewed in the same change. Otherwise you create a cycle where features silently weaken policy and nobody knows who owns the regression.

It is also important to differentiate public pages from authenticated surfaces. Your dashboard, marketing site, authentication flow, and file download endpoints may need slightly different policies. A single copy-pasted header blob across every route is often too coarse and causes either breakage or unjustified exceptions.

What to verify continuously

Validation should cover presence, syntax, and business relevance. Having a CSP header is not enough if it contains wildcard sources everywhere. Having HSTS is not enough if redirects still bounce through HTTP or if critical subdomains are left out unintentionally.

WarDek is useful here because it turns headers into an operational signal instead of a one-time screenshot. You can check whether key headers are missing, detect regressions after deployments, and connect header posture to the rest of the website baseline: TLS quality, cookies, exposed files, CORS, and compliance evidence.

The best teams define ownership, document exceptions, and keep a short remediation queue. A header issue should not stay in a generic backlog forever. It should have an owner, a reason, a target fix, and a validation step after deployment.

Common mistakes teams should avoid

Do not optimize for vanity grades alone. Some public scanners reward aggressive settings that do not reflect your business constraints. Your mission is a durable policy that your team understands and can maintain.

Avoid unsafe-inline and unsafe-eval in CSP unless you have a transition plan to remove them. If you must keep them temporarily, document why, where, and for how long. The same applies to broad connect-src or frame-src allowances for third-party tools that nobody has reviewed recently.

Finally, remember that headers are part of a broader trust posture. They support secure browsing, but they do not replace patching, access control, monitoring, secure development practices, or compliance evidence. Think of them as a baseline control that should be verified continuously and explained clearly to non-specialists.