Saltar al contenido principal
All Guides

HTTP Headers

Weight: 13% of your AX score. This check verifies three things: security headers are present, Link headers point to AI discovery files, and CORS is enabled on .well-known resources.

Missing critical security header

One or more critical security headers are missing from your HTTP response. ax-audit checks for 7 security headers, with these being critical:

  • Strict-Transport-Security — enforces HTTPS
  • X-Content-Type-Options — prevents MIME sniffing
  • X-Frame-Options — prevents clickjacking

In Next.js, add headers in next.config.js:

// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
      { key: 'X-Frame-Options', value: 'DENY' },
      { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
      { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
    ],
  }];
}

For Vercel, use vercel.json. For Nginx/Apache, add the headers in your server configuration.

Low security header count

Fewer than 4 of the 7 checked security headers are present. Security headers are important not just for security but also for trust signals — AI agents can factor them into reliability assessments.

Add the missing headers from the list above. Use securityheaders.com to scan your site and see which headers are missing.

Missing agent.json in Link header

Your Link header references llms.txt but not agent.json. Add it:

Link: </llms.txt>; rel="alternate"; type="text/plain",
      </.well-known/agent.json>; rel="alternate"; type="application/json"

Missing llms.txt in Link header

Your Link header references agent.json but not llms.txt. Add it alongside your existing Link header entries.

Link header without AI discovery

Your site sends a Link header but it doesn't include references to AI discovery files. Add entries for both llms.txt and agent.json to your existing Link header.

No Link header

Your site doesn't send any Link response header. The Link header allows AI agents to discover your AX files without parsing HTML:

// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [
      {
        key: 'Link',
        value: '</llms.txt>; rel="alternate"; type="text/plain", </.well-known/agent.json>; rel="alternate"; type="application/json"'
      },
    ],
  }];
}

No CORS on .well-known

Your /.well-known/agent.json endpoint doesn't include CORS headers. Browser-based AI agents need Access-Control-Allow-Origin: * to fetch your discovery files cross-origin.

// next.config.js
async headers() {
  return [{
    source: '/.well-known/:path*',
    headers: [
      { key: 'Access-Control-Allow-Origin', value: '*' },
      { key: 'Access-Control-Allow-Methods', value: 'GET, OPTIONS' },
    ],
  }];
}