HTTP Security Headers Explained
A handful of response headers tell the browser how to behave defensively. They are cheap to add and block whole classes of attack.
The essentials
| Header | Recommended value | Stops |
|---|---|---|
Strict-Transport-Security |
max-age=63072000; includeSubDomains |
SSL stripping / downgrade |
Content-Security-Policy |
a tailored allowlist | XSS, injection |
X-Content-Type-Options |
nosniff |
MIME sniffing |
X-Frame-Options |
SAMEORIGIN |
Clickjacking |
Referrer-Policy |
strict-origin-when-cross-origin |
Referrer leakage |
Permissions-Policy |
disable unused features | API abuse |
Notes that trip people up
- HSTS only works over HTTPS. Setting it on an HTTP response does nothing — the browser ignores it until the site is served over TLS. Pair it with the right TLS versions.
- CSP is the powerful one and the easy one to break. Roll it out in
Content-Security-Policy-Report-Onlyfirst, watch the reports, then enforce. Modern CSP increasingly replacesX-Frame-Optionsviaframe-ancestors. - Order of trust: headers are hardening, not a fix for insecure code.
Check your site
Run a URL through our HTTP security header checker to see which headers are present, which are missing, and a short fix for each. Then confirm the certificate itself with the SSL/TLS checker.
Note: Set these at the edge (reverse proxy/CDN) so every app behind it inherits them consistently.