Security Headers

Security Headers

A cheat sheet of HTTP security headers, each explained with examples.

Content-Security-Policy

Critical XSS Prevention

Defines approved sources of content that browsers should load.

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com

πŸ’‘ Start with a report-only policy to test before enforcing.

MDN Docs β†’

Strict-Transport-Security

Critical HTTPS

Forces browsers to only connect via HTTPS.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

πŸ’‘ Include preload for browsers to enforce HTTPS from first visit.

MDN Docs β†’

X-Content-Type-Options

High MIME Sniffing

Prevents browsers from MIME-sniffing a response away from declared content-type.

X-Content-Type-Options: nosniff

πŸ’‘ Always set this to nosniff.

MDN Docs β†’

X-Frame-Options

High Clickjacking

Prevents your page from being embedded in iframes.

X-Frame-Options: DENY

πŸ’‘ Use CSP frame-ancestors for more control.

MDN Docs β†’

X-XSS-Protection

Low XSS Prevention

Configures the XSS filter built into browsers. (Deprecated)

X-XSS-Protection: 0

πŸ’‘ Set to 0 and rely on CSP instead. The XSS filter can introduce vulnerabilities.

MDN Docs β†’

Referrer-Policy

Medium Privacy

Controls how much referrer information is included with requests.

Referrer-Policy: strict-origin-when-cross-origin

πŸ’‘ Use strict-origin-when-cross-origin for a good balance.

MDN Docs β†’

Permissions-Policy

Medium Feature Control

Controls which browser features can be used.

Permissions-Policy: geolocation=(), microphone=(), camera=()

πŸ’‘ Disable features you don't use to reduce attack surface.

MDN Docs β†’

Cross-Origin-Opener-Policy

Medium Isolation

Isolates your document from cross-origin windows.

Cross-Origin-Opener-Policy: same-origin

πŸ’‘ Required for SharedArrayBuffer and high-resolution timers.

MDN Docs β†’

Cross-Origin-Resource-Policy

Medium Isolation

Prevents other origins from reading your resources.

Cross-Origin-Resource-Policy: same-origin

πŸ’‘ Use same-site for most resources.

MDN Docs β†’

Cross-Origin-Embedder-Policy

Medium Isolation

Prevents loading cross-origin resources without explicit permission.

Cross-Origin-Embedder-Policy: require-corp

πŸ’‘ Required for cross-origin isolation.

MDN Docs β†’

Cache-Control

High Caching

Directives for caching mechanisms in both requests and responses.

Cache-Control: no-store, no-cache, must-revalidate

πŸ’‘ Use no-store for sensitive data to prevent caching.

MDN Docs β†’

Clear-Site-Data

Medium Privacy

Clears browsing data (cookies, storage, cache) associated with the site.

Clear-Site-Data: "cache", "cookies", "storage"

πŸ’‘ Use on logout pages to clear all user data.

MDN Docs β†’

Content-Type

High MIME Type

Indicates the media type of the resource.

Content-Type: text/html; charset=utf-8

πŸ’‘ Always include charset for text content.

MDN Docs β†’

X-DNS-Prefetch-Control

Low Performance

Controls DNS prefetching, which can leak privacy info.

X-DNS-Prefetch-Control: off

πŸ’‘ Set to off for privacy-sensitive applications.

MDN Docs β†’

X-Download-Options

Low Download

Prevents IE from executing downloads in the site's context.

X-Download-Options: noopen

πŸ’‘ Use noopen for IE security.

MDN Docs β†’

X-Permitted-Cross-Domain-Policies

Low Cross-Domain

Controls Adobe Flash and PDF cross-domain policies.

X-Permitted-Cross-Domain-Policies: none

πŸ’‘ Set to none unless using Flash or PDF embedding.

MDN Docs β†’

Expect-CT

Low Certificate Transparency

Allows sites to opt in to Certificate Transparency requirements. (Deprecated)

Expect-CT: max-age=86400, enforce

πŸ’‘ Now enforced by default in Chrome. May be removed soon.

MDN Docs β†’

Origin-Agent-Cluster

Low Isolation

Hints that the document should be placed in an origin-keyed agent cluster.

Origin-Agent-Cluster: ?1

πŸ’‘ Improves isolation for sites with subdomains.

MDN Docs β†’

Features

  • Comprehensive reference for all HTTP security headers
  • Description, risk level, and recommended value for each header
  • Search and filter by header name or category
  • Framework-specific implementation examples (Nginx, Express, Apache, Cloudflare)
  • Compatibility table showing browser support
  • Copy header value or implementation snippet with one click

Common Use Cases

  • Audit which security headers your server is missing
  • Look up the correct syntax for a specific security header
  • Understand the security implications of each header
  • Generate a baseline security header configuration for a new application
  • Prepare for a security review or penetration test

HTTP Security Headers

HTTP security headers are response headers that instruct browsers to enable or restrict specific behaviors, reducing your app's attack surface. They are one of the easiest wins in web security β€” requiring no code changes, only server configuration.

Key headers include: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls the Referer header), and Permissions-Policy (controls browser feature access).

Tools like securityheaders.com grade your live site's header configuration. Aim for an A+ grade as a baseline security hygiene standard.

Examples

Valid - HSTS (force HTTPS)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Valid - X-Content-Type-Options
X-Content-Type-Options: nosniff
Valid - Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin

Frequently Asked Questions

What is the most important security header to add first?

Strict-Transport-Security (HSTS) is the highest impact single header β€” it forces browsers to always use HTTPS for your domain, preventing protocol downgrade attacks and cookie hijacking. Set max-age=31536000; includeSubDomains after verifying your entire site is HTTPS-capable.

What does X-Content-Type-Options: nosniff do?

It prevents browsers from "MIME sniffing" β€” guessing the content type of a response and potentially executing a file as a different type than intended. For example, without this header, a browser might execute a text file containing JavaScript. Always include it.

Is X-XSS-Protection still useful?

X-XSS-Protection is a legacy header for an old IE browser filter. Modern browsers have removed it, and in some configurations it could introduce vulnerabilities. Do not rely on it β€” use a strong Content-Security-Policy instead. If you must set it for legacy browsers, use 1; mode=block.

What is Permissions-Policy?

Permissions-Policy (formerly Feature-Policy) lets you control access to browser APIs and hardware features like camera, microphone, geolocation, payment, and full-screen. Restrict what your app doesn't use: Permissions-Policy: camera=(), microphone=(), geolocation=().

πŸ’‘ Tips

  • Use the <a href="https://securityheaders.com" class="text-primary">SecurityHeaders.com</a> scanner to grade your live site's current header configuration.
  • Add security headers at the reverse proxy or CDN layer (Nginx, Cloudflare) so they apply to all responses without touching application code.
  • The <code>Permissions-Policy</code> header defaults to allowing everything β€” explicitly deny APIs your app doesn't use.
  • HSTS with <code>preload</code> enrolls your domain in browser preload lists. Test thoroughly before enabling it β€” it's difficult to reverse.