HTTP Security Headers — The Complete Guide

Why security headers matter

HTTP security headers tell browsers how to handle your site's content. Missing headers leave your users vulnerable to cross-site scripting (XSS), clickjacking, MIME sniffing, and other attacks.

The essential headers

Content-Security-Policy (CSP)

Controls which resources the browser can load. Prevents XSS by blocking inline scripts and unauthorized sources.

Strict-Transport-Security (HSTS)

Forces HTTPS connections. Prevents SSL stripping attacks.

X-Frame-Options

Prevents your site from being embedded in iframes. Blocks clickjacking.

X-Content-Type-Options

Prevents MIME type sniffing. Set to 'nosniff'.

Referrer-Policy

Controls what URL information is sent when navigating away from your site.

Permissions-Policy

Restricts which browser features (camera, microphone, geolocation) your site can use.

How to implement

Most headers are set in your web server config (Nginx, Apache) or your application framework. For Next.js, use next.config.js headers. For Express, use helmet middleware.

[Check your security headers now](/tools/headers-checker)