Docker security bod Diogo Monica is offering a guide to help system administrators flip their security header report card marks from a Fs to As.

Good security headers do things like ward-off click-jacking and cross-site scripting attacks, malicious certificates, and secure sockets downgrading.

Many big e-commerce and banking sites have failed security header tests, along with the majority of the internet.

Monica's blog too failed tests against securityheader.io prompting him to upgrade it and offer advice on how others can do so for critical sites.

"With the exception of [public key pinning], which I wouldn’t really recommend enabling unless you have a very mature SecOps team, all of these headers should be enabled on any production website you deploy," Monica says.

"It will be a lot easier to iterate on configuration changes if you’re not currently serving any traffic, so do it sooner rather than later."

Monica covers areas like X-Content-Type-Options, Strict Transport Security, Content-Security Policy, and public key pinning.

Cross-site scripting protection, X-Content-Type-Options, and X-Frame-Options are easy enough to deploy while the latter has a tendency to exclude visitors if done incorrectly.

Readers have access to a wealth of guides and cheat sheets to implementing security headers, and wrangling public key pinning. "HPKP (pinning) is probably the most dangerous of all the security headers," Monica says.

"Like HSTS, if something goes wrong, users might be disallowed from accessing your website for the duration you specify in your max_age argument."

He recommends using the Report-Only version so that pins can be tested without downtime.

Those who would rather take a screenshot of an A rating of their site in tests like securityheaders.io and Qualys' SSL labs without actually doing anything can use junk parameters since the former test box only checks that headers exist.

SSL Labs on the other hand will hand out top marks to anyone using Cloudflare, he says. (El Reg is a Cloudflare customer.) ®