Security Headers Deep Dive

HTTP headers aren't just metadata — they're security controls that tell browsers how to protect your users. Properly configured headers prevent entire categories of attacks, yet they're frequently missing or misconfigured.

Essential Security Headers

Content-Security-Policy (CSP) is the most powerful header. It controls which resources browsers can load, effectively preventing cross-site scripting attacks:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'

This policy only allows scripts and styles from your own domain. Even if an attacker injects malicious script tags, the browser refuses to execute them.

Strict-Transport-Security (HSTS) forces browsers to use HTTPS for all future requests:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Once a browser sees this header, it won't make insecure HTTP requests to your domain for a year — even if users type http:// explicitly.

X-Content-Type-Options prevents browsers from guessing content types:

X-Content-Type-Options: nosniff

Without this, browsers might execute a file as JavaScript even if you served it as plain text, enabling certain attacks.

X-Frame-Options prevents your pages from being embedded in iframes, blocking clickjacking attacks:

X-Frame-Options: DENY

Attackers can't trick users into clicking hidden buttons on your site if your pages can't be framed.

Referrer-Policy controls how much URL information browsers send when users navigate away:

Referrer-Policy: strict-origin-when-cross-origin

This prevents sensitive URL parameters from leaking to third-party sites.

Permissions-Policy disables browser features you don't need:

Permissions-Policy: geolocation=(), camera=(), microphone=()

If your site doesn't need location access, disable it. This limits damage if your site is compromised.

Testing Your Headers

Several free tools analyze your security headers:

SecurityHeaders.com grades your configuration and explains what's missing. Aim for an A rating.

Mozilla Observatory provides comprehensive security analysis beyond just headers.

Browser developer tools show exactly which headers your server sends. Open the Network tab, select a request, and examine the response headers.

Implementation Tips

Add headers at your web server or reverse proxy level rather than in application code. This ensures every response includes them, even error pages.

Start with a report-only CSP to see what would break before enforcing it. The Content-Security-Policy-Report-Only header logs violations without blocking resources.

See More

Essential Security Headers

Content-Security-Policy (CSP) is the most powerful header. It controls which resources browsers can load, effectively preventing cross-site scripting attacks:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'

This policy only allows scripts and styles from your own domain. Even if an attacker injects malicious script tags, the browser refuses to execute them.

Strict-Transport-Security (HSTS) forces browsers to use HTTPS for all future requests:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Once a browser sees this header, it won't make insecure HTTP requests to your domain for a year — even if users type http:// explicitly.

X-Content-Type-Options prevents browsers from guessing content types:

X-Content-Type-Options: nosniff

Without this, browsers might execute a file as JavaScript even if you served it as plain text, enabling certain attacks.

X-Frame-Options prevents your pages from being embedded in iframes, blocking clickjacking attacks:

X-Frame-Options: DENY

Attackers can't trick users into clicking hidden buttons on your site if your pages can't be framed.

Referrer-Policy controls how much URL information browsers send when users navigate away:

Referrer-Policy: strict-origin-when-cross-origin

This prevents sensitive URL parameters from leaking to third-party sites.

Permissions-Policy disables browser features you don't need:

Permissions-Policy: geolocation=(), camera=(), microphone=()

If your site doesn't need location access, disable it. This limits damage if your site is compromised.

Testing Your Headers

Several free tools analyze your security headers:

SecurityHeaders.com grades your configuration and explains what's missing. Aim for an A rating.

Mozilla Observatory provides comprehensive security analysis beyond just headers.

Browser developer tools show exactly which headers your server sends. Open the Network tab, select a request, and examine the response headers.

Implementation Tips

Add headers at your web server or reverse proxy level rather than in application code. This ensures every response includes them, even error pages.

Start with a report-only CSP to see what would break before enforcing it. The Content-Security-Policy-Report-Only header logs violations without blocking resources.

Security Headers Deep Dive

Essential Security Headers

Testing Your Headers

Implementation Tips

See More

Further Reading

Essential Security Headers

Testing Your Headers

Implementation Tips

See More

Further Reading

Essential Security Headers

Testing Your Headers

Implementation Tips

See More

Further Reading