What is GEO (Generative Engine Optimization)?

GEO stands for Generative Engine Optimization. It is the practice of optimizing your website to appear in AI-generated answers from ChatGPT, Perplexity, Google AI Overviews, and Claude. Foglift is the first tool to combine SEO and GEO analysis in one scan.

What does Foglift analyze?

Foglift scans websites across 5 categories: SEO (meta tags, headings, Open Graph), GEO (AI-crawler access, structured data, citation-readiness), Performance (Core Web Vitals, load time), Security (HTTP headers), and Accessibility (WCAG compliance, contrast, alt text).

How is Foglift different from Ahrefs or Semrush?

Ahrefs and Semrush focus only on traditional SEO. Foglift is the first tool to combine SEO + GEO (AI search optimization) analysis, checking if your site is ready for AI-generated answers. It starts free and costs 10x less than alternatives.

Does Foglift have an API?

Yes. Foglift offers a free public REST API at foglift.io/api/v1/scan that returns JSON results. Developers can use it from the terminal, CI/CD pipelines, or AI coding assistants like Claude Code and Cursor.

Website Security Headers: Complete Guide for 2026

What are HTTP security headers?

HTTP security headers are directives sent by your web server that tell browsers how to behave when handling your site's content. They're your first line of defense against common web attacks — and most websites are missing at least half of them.

The good news? Adding security headers is usually a quick server configuration change that takes minutes, not hours.

Check your security headers now

Foglift scans your website's security headers and scores them against best practices. Try it free — no signup required.

Scan Your Website

The 6 essential security headers

1. Strict-Transport-Security (HSTS)

HSTS tells browsers to always use HTTPS when connecting to your site. Without it, attackers can intercept the initial HTTP request before the redirect to HTTPS happens (a "man-in-the-middle" attack).

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Impact: Critical. This header prevents SSL stripping attacks and ensures all communication is encrypted. Set max-age to at least one year (31536000 seconds).

2. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources (scripts, styles, images) the browser is allowed to load, preventing XSS attacks by blocking injected malicious scripts.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'

Impact: Critical. CSP is your primary defense against cross-site scripting (XSS). Start with a restrictive policy and loosen as needed.

3. X-Content-Type-Options

This header prevents browsers from "sniffing" the MIME type of a response, which can be exploited to execute malicious files disguised as harmless content types.

X-Content-Type-Options: nosniff

Impact: High. It's a one-line addition with no downsides. There's no reason not to include it.

4. X-Frame-Options

Prevents your site from being embedded in an iframe on another domain, protecting against clickjacking attacks where users think they're clicking on your site but are actually interacting with a malicious overlay.

X-Frame-Options: DENY

5. Referrer-Policy

Controls how much referrer information is sent when users click links on your site. Without it, sensitive URL parameters (like session tokens or internal paths) can leak to external sites.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features and APIs your site can use (camera, microphone, geolocation, etc.). This prevents malicious scripts from accessing sensitive device capabilities.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to add security headers

The implementation depends on your hosting platform:

Nginx: Add headers in your server block using add_header
Apache: Use .htaccess with Header set
Vercel/Netlify: Configure in vercel.json or _headers file
Cloudflare: Use Transform Rules or Workers
WordPress: Plugins like "Headers Security Advanced"

Get your security score

Foglift checks all 6 security headers and gives you a score out of 100, plus specific instructions for what's missing. Also check your SSL/TLS certificate to verify your encryption is up to date. Read our SSL certificate checker guide for more details.

Check Your Security Headers Free

Common mistakes to avoid

Setting HSTS max-age too low: Use at least 1 year (31536000). Shorter periods offer less protection.
Overly permissive CSP: Avoid unsafe-eval unless absolutely necessary. It defeats the purpose of CSP.
Forgetting subdomains: HSTS should include includeSubDomains to protect all subdomains.
Not testing after adding: Always verify headers are being sent correctly using browser DevTools or a tool like Foglift.

Bottom line

Security headers are one of the easiest wins in web security. Most can be added in under 10 minutes and they significantly reduce your attack surface. Start with HSTS and CSP (the two most impactful), then add the rest.

Not sure where you stand? Run a free Foglift scan to see which headers you're missing and get specific recommendations for your setup.