Security Headers
A cheat sheet of HTTP security headers, each explained with examples.
Content-Security-Policy
Critical XSS PreventionDefines approved sources of content that browsers should load.
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com
π‘ Start with a report-only policy to test before enforcing.
MDN Docs βStrict-Transport-Security
Critical HTTPSForces browsers to only connect via HTTPS.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
π‘ Include preload for browsers to enforce HTTPS from first visit.
MDN Docs βX-Content-Type-Options
High MIME SniffingPrevents browsers from MIME-sniffing a response away from declared content-type.
X-Content-Type-Options: nosniff
π‘ Always set this to nosniff.
MDN Docs βX-Frame-Options
High ClickjackingPrevents your page from being embedded in iframes.
X-Frame-Options: DENY
π‘ Use CSP frame-ancestors for more control.
MDN Docs βX-XSS-Protection
Low XSS PreventionConfigures the XSS filter built into browsers. (Deprecated)
X-XSS-Protection: 0
π‘ Set to 0 and rely on CSP instead. The XSS filter can introduce vulnerabilities.
MDN Docs βReferrer-Policy
Medium PrivacyControls how much referrer information is included with requests.
Referrer-Policy: strict-origin-when-cross-origin
π‘ Use strict-origin-when-cross-origin for a good balance.
MDN Docs βPermissions-Policy
Medium Feature ControlControls which browser features can be used.
Permissions-Policy: geolocation=(), microphone=(), camera=()
π‘ Disable features you don't use to reduce attack surface.
MDN Docs βCross-Origin-Opener-Policy
Medium IsolationIsolates your document from cross-origin windows.
Cross-Origin-Opener-Policy: same-origin
π‘ Required for SharedArrayBuffer and high-resolution timers.
MDN Docs βCross-Origin-Resource-Policy
Medium IsolationPrevents other origins from reading your resources.
Cross-Origin-Resource-Policy: same-origin
π‘ Use same-site for most resources.
MDN Docs βCross-Origin-Embedder-Policy
Medium IsolationPrevents loading cross-origin resources without explicit permission.
Cross-Origin-Embedder-Policy: require-corp
π‘ Required for cross-origin isolation.
MDN Docs βCache-Control
High CachingDirectives for caching mechanisms in both requests and responses.
Cache-Control: no-store, no-cache, must-revalidate
π‘ Use no-store for sensitive data to prevent caching.
MDN Docs βClear-Site-Data
Medium PrivacyClears browsing data (cookies, storage, cache) associated with the site.
Clear-Site-Data: "cache", "cookies", "storage"
π‘ Use on logout pages to clear all user data.
MDN Docs βContent-Type
High MIME TypeIndicates the media type of the resource.
Content-Type: text/html; charset=utf-8
π‘ Always include charset for text content.
MDN Docs βX-DNS-Prefetch-Control
Low PerformanceControls DNS prefetching, which can leak privacy info.
X-DNS-Prefetch-Control: off
π‘ Set to off for privacy-sensitive applications.
MDN Docs βX-Download-Options
Low DownloadPrevents IE from executing downloads in the site's context.
X-Download-Options: noopen
π‘ Use noopen for IE security.
MDN Docs βX-Permitted-Cross-Domain-Policies
Low Cross-DomainControls Adobe Flash and PDF cross-domain policies.
X-Permitted-Cross-Domain-Policies: none
π‘ Set to none unless using Flash or PDF embedding.
MDN Docs βExpect-CT
Low Certificate TransparencyAllows sites to opt in to Certificate Transparency requirements. (Deprecated)
Expect-CT: max-age=86400, enforce
π‘ Now enforced by default in Chrome. May be removed soon.
MDN Docs βOrigin-Agent-Cluster
Low IsolationHints that the document should be placed in an origin-keyed agent cluster.
Origin-Agent-Cluster: ?1
π‘ Improves isolation for sites with subdomains.
MDN Docs βFeatures
- Comprehensive reference for all HTTP security headers
- Description, risk level, and recommended value for each header
- Search and filter by header name or category
- Framework-specific implementation examples (Nginx, Express, Apache, Cloudflare)
- Compatibility table showing browser support
- Copy header value or implementation snippet with one click
Common Use Cases
- Audit which security headers your server is missing
- Look up the correct syntax for a specific security header
- Understand the security implications of each header
- Generate a baseline security header configuration for a new application
- Prepare for a security review or penetration test
HTTP Security Headers
HTTP security headers are response headers that instruct browsers to enable or restrict specific behaviors, reducing your app's attack surface. They are one of the easiest wins in web security β requiring no code changes, only server configuration.
Key headers include: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls the Referer header), and Permissions-Policy (controls browser feature access).
Tools like securityheaders.com grade your live site's header configuration. Aim for an A+ grade as a baseline security hygiene standard.
Examples
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originFrequently Asked Questions
Strict-Transport-Security (HSTS) is the highest impact single header β it forces browsers to always use HTTPS for your domain, preventing protocol downgrade attacks and cookie hijacking. Set max-age=31536000; includeSubDomains after verifying your entire site is HTTPS-capable.
It prevents browsers from "MIME sniffing" β guessing the content type of a response and potentially executing a file as a different type than intended. For example, without this header, a browser might execute a text file containing JavaScript. Always include it.
X-XSS-Protection is a legacy header for an old IE browser filter. Modern browsers have removed it, and in some configurations it could introduce vulnerabilities. Do not rely on it β use a strong Content-Security-Policy instead. If you must set it for legacy browsers, use 1; mode=block.
Permissions-Policy (formerly Feature-Policy) lets you control access to browser APIs and hardware features like camera, microphone, geolocation, payment, and full-screen. Restrict what your app doesn't use: Permissions-Policy: camera=(), microphone=(), geolocation=().
π‘ Tips
- Use the <a href="https://securityheaders.com" class="text-primary">SecurityHeaders.com</a> scanner to grade your live site's current header configuration.
- Add security headers at the reverse proxy or CDN layer (Nginx, Cloudflare) so they apply to all responses without touching application code.
- The <code>Permissions-Policy</code> header defaults to allowing everything β explicitly deny APIs your app doesn't use.
- HSTS with <code>preload</code> enrolls your domain in browser preload lists. Test thoroughly before enabling it β it's difficult to reverse.