What are HTTP security headers?

HTTP security headers are instructions sent by your web server that tell browsers how to handle your website securely, protecting against attacks like XSS, clickjacking, and data injection.

Which security headers are most important?

The five most important are: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

How do I check my security headers?

Use CQwerty Shield's free scanner to get an instant grade for your HTTP security headers along with specific recommendations for improvement.

HTTP Security Headers Explained: CSP, HSTS, X-Frame-Options

HTTP security headers are instructions your web server sends to browsers telling them how to handle your website securely. They are invisible to visitors but provide critical protection against common attacks like clickjacking, cross-site scripting (XSS), and data injection. Most websites are missing at least some of these headers.

Essential security headers

Strict-Transport-Security (HSTS)

Tells browsers to only connect to your site over HTTPS, even if a user types http://. Prevents SSL stripping attacks where an attacker downgrades the connection to unencrypted HTTP.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

Controls which resources (scripts, styles, images) the browser is allowed to load. The most powerful header for preventing XSS attacks. A strict CSP can block injected malicious scripts entirely.

Content-Security-Policy: default-src 'self'; script-src 'self'

X-Frame-Options

Prevents your website from being embedded in an iframe on another site. This stops clickjacking attacks where an attacker overlays invisible elements on your page to trick users into clicking hidden buttons.

X-Frame-Options: DENY

X-Content-Type-Options

Prevents browsers from guessing (sniffing) the content type of files. Without this, an attacker could trick the browser into executing a malicious file as JavaScript.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much information about the referring page is sent when a user clicks a link. Setting this to "strict-origin-when-cross-origin" prevents sensitive URL paths from leaking to third-party sites.

How to add security headers

Security headers are configured in your web server (Nginx, Apache, Cloudflare) or application framework. Most hosting platforms like Vercel, Netlify, and Cloudflare Pages support custom headers through configuration files. Adding all five essential headers typically takes less than 10 minutes.

Grading

CQwerty Shield grades your HTTP headers from A+ to F based on which headers are present, how they are configured, and whether they follow current best practices. An A+ grade requires HSTS with a long max-age, a strict CSP, X-Frame-Options set to DENY, X-Content-Type-Options set to nosniff, and a restrictive Referrer-Policy.

HTTP Security Headers: The Invisible Shield for Your Website