Headers Checklist
Secure headers implementation checklist. Framework-specific snippets for NGINX, Apache, Node. Security headers setup guide.
Content-Security-Policy
RequiredDefines approved sources of content. Prevents XSS and data injection.
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:";
Strict-Transport-Security
RequiredForces HTTPS connections. Protects against protocol downgrade attacks.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
X-Content-Type-Options
RequiredPrevents MIME type sniffing. Always set to nosniff.
add_header X-Content-Type-Options "nosniff";
X-Frame-Options
RequiredPrevents clickjacking by controlling iframe embedding.
add_header X-Frame-Options "DENY";
Referrer-Policy
OptionalControls how much referrer info is sent with requests.
add_header Referrer-Policy "strict-origin-when-cross-origin";
Permissions-Policy
OptionalControls browser features like camera, microphone, geolocation.
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";
Cross-Origin-Opener-Policy
OptionalIsolates document from cross-origin windows.
add_header Cross-Origin-Opener-Policy "same-origin";
Cross-Origin-Embedder-Policy
OptionalPrevents loading cross-origin resources without permission.
add_header Cross-Origin-Embedder-Policy "require-corp";
Features
- Step-by-step security header implementation checklist
- Framework-specific code snippets: Express, Nginx, Apache, Cloudflare Workers, Fastify
- Priority ordering — implement the highest-impact headers first
- Mark headers as done to track audit progress
- Copy implementation code for your chosen framework
- Links to official documentation for each header
Common Use Cases
- Conduct a security header audit for an existing application
- Implement security headers on a new project from day one
- Track header implementation progress across a codebase
- Generate a framework-specific security header boilerplate
- Prepare for a web application security assessment
Security Header Implementation
Knowing which security headers exist is only half the battle — the other half is knowing how to add them to your specific stack. The implementation syntax differs across frameworks:
- Nginx:
add_headerdirective in the server or location block - Express/Node: use the
helmetpackage orres.setHeader()in middleware - Apache:
Header setin.htaccessor httpd.conf (requires mod_headers) - Cloudflare Workers: modify headers in the
Responseobject - Next.js: configure in
next.config.jsunder theheaders()function
This checklist provides copy-paste snippets for each framework so you can implement headers correctly without looking up syntax for each one.
Examples
import helmet from "helmet";
app.use(helmet());add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;// next.config.js
headers: () => [{ source: "/**", headers: [...] }]Frequently Asked Questions
Prefer adding them at the reverse proxy or CDN layer (Nginx, Cloudflare, ALB). This applies headers to all responses (including static files and error pages) without touching application code. Application-level headers (e.g., via Helmet in Express) are also fine but require code changes and may miss edge cases.
Helmet is a popular Node.js middleware that sets many security headers in one line: app.use(helmet()). It configures HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and others. It also provides individual sub-modules for fine-grained control (e.g., helmet.contentSecurityPolicy()).
Open browser DevTools → Network tab → select your page request → look at the Response Headers panel. Or use the curl -I https://yoursite.com command to view response headers in the terminal. For a comprehensive grade, use securityheaders.com.
💡 Tips
- Start with the "easy wins": <code>X-Content-Type-Options: nosniff</code>, <code>X-Frame-Options: DENY</code>, and <code>Referrer-Policy: strict-origin-when-cross-origin</code> can be added in minutes.
- Use the Helmet.js npm package for Node.js apps — it sets 10+ headers securely with sensible defaults in a single line.
- After implementation, re-run your security scanner (Burp Suite, OWASP ZAP, or securityheaders.com) to confirm headers are delivered correctly.