2026-07-14

HTTP Security Headers: Complete Reference

Security Headers: Protecting Your Website with HTTP Responses

HTTP security headers are a powerful way to protect your website from common attacks. They're instructions that your server sends to the browser, telling it how to behave. A few well-chosen headers can prevent entire categories of attacks without any changes to your application code.

The Most Important Headers

Content-Security-Policy (CSP) is the most powerful security header. It tells the browser which sources are allowed to load scripts, styles, images, and other resources. If an attacker manages to inject a script tag pointing to their server, CSP blocks it. CSP can also prevent inline scripts, eval, and other dangerous patterns. It's the single most effective defense against cross-site scripting attacks.

Strict-Transport-Security (HSTS) tells the browser to always use HTTPS when connecting to your site, even if the user types http:// or clicks a plain HTTP link. This prevents man-in-the-middle attacks where an attacker intercepts the initial HTTP request and redirects the user to a fake site.

X-Frame-Options prevents your site from being embedded in an iframe on another domain. This protects against clickjacking attacks, where an attacker tricks users into clicking something they didn't intend to by overlaying a transparent iframe on top of a deceptive page.

Additional Protective Headers

X-Content-Type-Options prevents the browser from guessing the MIME type of a file. If you serve a file as text/plain, the browser won't try to interpret it as JavaScript, even if it looks like a script. This prevents a type of attack called MIME sniffing.

Referrer-Policy controls how much referrer information is sent when a user clicks a link to another site. A strict policy like 'strict-origin-when-cross-origin' sends the full URL for same-origin requests but only the origin for cross-origin requests, protecting user privacy.

Permissions-Policy (formerly Feature-Policy) lets you control which browser features your site can use. You can disable the camera, microphone, geolocation, and other features that you don't need, reducing the attack surface.

Implementing Security Headers

You can set security headers in your web server configuration (NGINX, Apache, Caddy), in your application framework, or through a CDN like Cloudflare. There are tools like Mozilla's Observatory that scan your site and tell you which headers are missing or misconfigured.

Start with a simple set of headers and gradually add more as you understand their impact. The most important ones to implement first are HSTS, CSP, X-Frame-Options, and X-Content-Type-Options. Test your site after each change to make sure you haven't broken anything — especially CSP, which can be tricky to configure correctly.

Let's work together

Do you need more info, help with your project, or to develop an idea?

Whether it's an easy question, a quick doubt, or just a 5-minute chat, send me a message—it costs nothing and I'm always ready to help. I love discussing a problem to understand it, getting creative with solutions, and focusing on simple, reliable, and straightforward ideas that we can actuate quickly.

Contact me

Switch Topic

Choose a specialized topic to explore: