What are HTTP security headers?

HTTP security headers are response headers sent by your web server that instruct browsers how to handle your site's content securely. They protect against attacks like XSS, clickjacking, SSL stripping, and data leakage.

Which security header is most important?

Content-Security-Policy (CSP) is the most impactful single header because it can prevent entire classes of XSS attacks. However, all six major headers work together and each addresses a different threat.

How do I add security headers to my website?

Security headers are configured in your web server (Nginx, Apache), CDN (Cloudflare, AWS CloudFront), or hosting platform (Vercel, Netlify). Most platforms support custom headers through configuration files.

What is the difference between X-Frame-Options and CSP frame-ancestors?

Both prevent clickjacking by controlling iframe embedding. CSP frame-ancestors is the modern replacement with more flexibility. Setting both provides backward compatibility with older browsers that do not support CSP.

What does Permissions-Policy do?

Permissions-Policy controls which browser APIs (camera, microphone, geolocation, payment) your page and its embedded iframes can access. It prevents third-party content from using sensitive APIs without your consent.

Security Headers Deep Dive: HSTS, CSP, X-Frame-Options, Referrer-Policy & More

Security headers are HTTP response headers that instruct browsers how to behave when handling your site's content. Correctly configured headers can prevent entire classes of attacks, from cross-site scripting to clickjacking to protocol downgrade exploits. This guide walks through the six most important headers, with practical configuration examples for each.

1. Strict-Transport-Security (HSTS)

What it does

HSTS tells the browser to only communicate with your site over HTTPS for a specified period. Once a browser receives this header, it will automatically upgrade every HTTP request to HTTPS, even if a user manually types http://.

Why it matters

Without HSTS, an attacker on the same network can intercept the initial HTTP request before it redirects to HTTPS and perform an SSL stripping attack, serving the entire session over plain HTTP. HSTS eliminates this window of vulnerability entirely.

How to set it

Add the header in your web server or CDN configuration. Start with a short max-age (e.g. 300 seconds) to test, then increase to at least one year once confirmed.

Recommended value

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age=31536000 — enforce HTTPS for one year
includeSubDomains — apply the policy to all subdomains
preload — opt in to the browser preload list so HSTS applies on the very first visit

2. Content-Security-Policy (CSP)

What it does

CSP defines an allowlist of sources from which the browser may load scripts, styles, images, fonts, frames, and other resources. Anything not on the allowlist is blocked.

Why it matters

CSP is the single most effective defense against cross-site scripting (XSS). Even if an attacker injects a <script> tag into your page, the browser refuses to execute it unless the source is explicitly allowed in your policy.

How to set it

Start with Content-Security-Policy-Report-Only to monitor violations without breaking your site, then move to enforcement once the policy is tuned.

Example values

Strict baseline

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'

With third-party analytics

Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com; img-src 'self' https://www.google-analytics.com

3. X-Frame-Options

What it does

X-Frame-Options controls whether your page can be embedded inside an <iframe>, <frame>, or <object> on another site.

Why it matters

Without it, attackers can embed your page invisibly inside their own site and trick users into clicking buttons they cannot see. This technique, called clickjacking, can lead to unauthorized account actions, payment confirmations, or data disclosure.

How to set it

Add a single header to your server response. Most sites should use DENY. If you need to embed your own pages (e.g. an admin panel inside a dashboard), use SAMEORIGIN.

Recommended value

X-Frame-Options: DENY

Note: The modern replacement is frame-ancestors 'none' in your CSP. Setting both provides backward compatibility with older browsers.

4. X-Content-Type-Options

What it does

This header prevents browsers from MIME-type sniffing. When set to nosniff, the browser strictly follows the Content-Type header instead of trying to detect the file type by inspecting the content.

Why it matters

Without it, an attacker could upload a file disguised as an image that actually contains JavaScript. If the browser sniffs the content and decides to treat it as a script, the malicious code runs in the context of your domain with full access to cookies and session data.

How to set it

There is only one valid value. Add it to every response.

Recommended value

X-Content-Type-Options: nosniff

5. Referrer-Policy

What it does

Controls how much information about the current page URL is included in the Referer header when a user navigates to another site or loads a third-party resource.

Why it matters

URLs often contain sensitive data: session tokens, search queries, internal page paths, or user IDs. Without a restrictive Referrer-Policy, this information leaks to every external resource and link destination on your pages.

How to set it

Add the header at the server or CDN level. The recommended value balances privacy with functionality, sending the full URL for same-origin requests but only the origin for cross-origin navigation.

Recommended value

Referrer-Policy: strict-origin-when-cross-origin

For maximum privacy, use no-referrer. However, this breaks analytics attribution and some authentication flows.

6. Permissions-Policy

What it does

Permissions-Policy (formerly Feature-Policy) controls which browser APIs and features your page and its embedded iframes can access. You can disable the camera, microphone, geolocation, payment APIs, and dozens of other capabilities.

Why it matters

If your site embeds third-party widgets or ads, those iframes inherit access to powerful browser APIs by default. A malicious or compromised widget could silently activate the microphone, request geolocation, or trigger payment prompts. Permissions-Policy lets you revoke these capabilities for all embedded content.

How to set it

Specify each feature you want to restrict. An empty allowlist () disables the feature entirely. Use self to allow only your own origin.

Recommended value

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()

This disables camera, microphone, geolocation, payment requests, USB access, and FLoC tracking for all contexts including embedded iframes.

Quick reference

Header	Protects against	Difficulty
HSTS	SSL stripping, protocol downgrade	Easy
CSP	XSS, data injection, code injection	Moderate
X-Frame-Options	Clickjacking	Easy
X-Content-Type-Options	MIME confusion attacks	Easy
Referrer-Policy	URL data leakage	Easy
Permissions-Policy	Unauthorized API access via embeds	Easy

Test your headers

Use the free headers checker to see which security headers your site is sending and get specific fix recommendations, or run a full domain scan to audit headers alongside SSL, DNS, email authentication, and more.