How to Add Security Headers on Squarespace

Not possible

Squarespace does not let you set custom security headers on any plan. Here is the honest picture: what Squarespace already sends, the one header you can genuinely add yourself, and what your remaining options are.

Code Injection adds markup to your <head>. It does not set HTTP headers. Those are two different things, and most guides blur the line.

The short answer

You cannot set custom HTTP security headers on a Squarespace site. Not on any plan. Squarespace controls the server response, and there is no setting that changes it.

The confusion usually starts with Code Injection. Code Injection puts markup inside your page <head>. A security header is sent by the server, before the page even arrives. Pasting header text into Code Injection does nothing at all.

The Developer Platform does not rescue you either. It cannot add server-side custom code, and it is version-restricted: it works on Squarespace 7.0 only, not on 7.1, which is what effectively every new site is built on. It is version-restricted rather than gone, but for most owners reading this it is simply not an option.

Now the better news. Squarespace already sends most of the headers you were worried about.

What Squarespace already gives you

At the time of writing, a Squarespace site responds with these by default, with no work from you. These are our own July 2026 measurements rather than something Squarespace documents, so they can drift over time and vary by edge location.

Strict-Transport-Security

HSTS with a max-age of 180 days. Browsers will stick to HTTPS on return visits. You could not add this yourself even if you wanted to, because HSTS is header-only by specification.

X-Content-Type-Options

Set to nosniff, which stops browsers guessing file types. This is the header most small sites are missing, and you get it free.

X-Frame-Options

Set to SAMEORIGIN, which stops other sites putting your pages in an iframe. That is solid anti-clickjacking protection.

Referrer-Policy

Not set. This is the one real gap, and happily it is the one you can close yourself. See the next section.

The one header you can actually add

Squarespace ships no Referrer-Policy. Referrer-Policy is the rare security header that browsers also honour as an HTML meta tag, so you can add it through Code Injection.

Put this in your site header Code Injection:

<meta name="referrer" content="strict-origin-when-cross-origin">

Note it is name="referrer", not http-equiv. That is the correct form and browsers honour it. Save, then reload your site and confirm it is present in the page source.

Why the same trick will not work for the rest

Worth understanding, so you do not lose an afternoon to it. Meta tags are not a general stand-in for HTTP headers:

  • X-Frame-Options as a meta tag does nothing at all. Browsers ignore it completely. Plenty of blog posts recommend it anyway. Squarespace already sends the real header set to SAMEORIGIN, so you are covered regardless.
  • HSTS is header-only by specification. There is no meta tag version, and there never will be. Squarespace already sends it.
  • CSP partly works as a meta tag, but the directives people most want are ignored in meta form, including frame-ancestors, report-uri and sandbox. A meta CSP is also easy to get wrong and can break your own site. If you want to understand what you would be giving up, read our short CSP explainer.
  • Referrer-Policy is the exception, which is exactly why the snippet above is worth doing.

What about putting Cloudflare in front?

This is the one place where accuracy matters, because it is easy to overstate in either direction.

Squarespace says Cloudflare "falls outside the scope of Squarespace support". In the same breath they concede: "If you have advanced needs, you can connect your domain to Cloudflare for additional protection." Read that carefully. That is Squarespace saying they will not help you troubleshoot it, not Squarespace saying do not do it. It is a meaningfully softer position than some other platforms take.

So it is a real option if you have the skills and accept that you own the outcome. If something breaks, you are fixing it yourself. For most Squarespace owners, adding a whole extra layer in front of the site to gain one or two headers is not a trade worth making. If you have a Cloudflare-competent person in the building already, it is a reasonable conversation to have.

What we would actually do

Add the Referrer-Policy meta tag. Then stop. Squarespace covers HSTS, nosniff and framing protection for you, which is decent coverage already, and the gaps left over are not worth restructuring your site to close.

Put the effort where you still have full control instead. Your SPF record and DMARC record live in DNS, not in Squarespace, so nothing is blocking you there. Those stop people sending fake email in your name, which is a far more common attack on a small business than clickjacking.

Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Can I add security headers through Squarespace Code Injection?

Only Referrer-Policy, and only as a meta tag. Code Injection adds markup to your page head. It cannot set HTTP headers, because those are sent by the server before the page is delivered. The good news is Squarespace already sends HSTS, X-Content-Type-Options and X-Frame-Options by default.

Does the Squarespace Developer Platform let me set headers?

No. It cannot add server-side custom code, so it cannot set response headers. It is also version-restricted to Squarespace 7.0 and is not available on 7.1, which is what new sites are built on. For most owners it is not an option at all.

Would a higher Squarespace plan give me header control?

No. This is not a plan limit you can pay your way past. Custom security headers are not available on any Squarespace plan.

Should I put Cloudflare in front of my Squarespace site to add headers?

It is possible, and Squarespace themselves acknowledge that you can connect your domain to Cloudflare for additional protection if you have advanced needs. But they also say Cloudflare falls outside the scope of Squarespace support, so you own any problems that follow. For most sites, adding a whole layer for one or two headers is not worth it.

Will a failed security headers check hurt my site?

Less than you would think on Squarespace, because the platform already sets the important ones. A scanner that just counts headers can make your site look worse than it is. Run a free check to see what your site actually sends today, then close the one gap you can control.

Security headers on other platforms

Other fixes for Squarespace

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check