What it is
Security headers are short instructions your server sends with every page, telling the browser what to trust once a page loads. HTTPS protects data while it travels to the customer; security headers govern what happens after it arrives: which scripts are allowed to run, whether another site can frame your pages.
How common it is
About two in three audited stores (67%) send these headers. The other third ship pages without them, so the browser trusts everything by default. The audit checks whether the headers are present, including Content-Security-Policy and Strict-Transport-Security, not just whether the site loads over HTTPS. That is why a store can show the padlock icon and still fail this signal.
Why it costs you
Without these rules, the browser can’t tell your code from an attacker’s. A single injected script at checkout can read what customers type and send their card details elsewhere, while your store keeps taking orders and nothing looks wrong. A properly configured Content-Security-Policy gives the browser a list of script sources you approve, so a skimmer loaded from anywhere else is blocked. When it does happen, the damage shows up as chargebacks, a forced PCI audit, and customers who learn their card was stolen on your site.
Check it in 30 seconds
Open securityheaders.com and paste your store URL. A low grade means important headers are missing; look in the report for Content-Security-Policy and Strict-Transport-Security. If they are absent, the browser is running on trust.
Read next: Ecommerce Security: The Losses You Don’t See
Run the free audit to see which security headers your store is missing.