Headers Checklist

Headers Checklist

Secure headers implementation checklist. Framework-specific snippets for NGINX, Apache, Node. Security headers setup guide.

Framework:
Environment:
0/8 implemented (0/4 required)

Content-Security-Policy

Required

Defines approved sources of content. Prevents XSS and data injection.

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:";

Strict-Transport-Security

Required

Forces HTTPS connections. Protects against protocol downgrade attacks.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

X-Content-Type-Options

Required

Prevents MIME type sniffing. Always set to nosniff.

add_header X-Content-Type-Options "nosniff";

X-Frame-Options

Required

Prevents clickjacking by controlling iframe embedding.

add_header X-Frame-Options "DENY";

Referrer-Policy

Optional

Controls how much referrer info is sent with requests.

add_header Referrer-Policy "strict-origin-when-cross-origin";

Permissions-Policy

Optional

Controls browser features like camera, microphone, geolocation.

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";

Cross-Origin-Opener-Policy

Optional

Isolates document from cross-origin windows.

add_header Cross-Origin-Opener-Policy "same-origin";

Cross-Origin-Embedder-Policy

Optional

Prevents loading cross-origin resources without permission.

add_header Cross-Origin-Embedder-Policy "require-corp";

Features

  • Step-by-step security header implementation checklist
  • Framework-specific code snippets: Express, Nginx, Apache, Cloudflare Workers, Fastify
  • Priority ordering — implement the highest-impact headers first
  • Mark headers as done to track audit progress
  • Copy implementation code for your chosen framework
  • Links to official documentation for each header

Common Use Cases

  • Conduct a security header audit for an existing application
  • Implement security headers on a new project from day one
  • Track header implementation progress across a codebase
  • Generate a framework-specific security header boilerplate
  • Prepare for a web application security assessment

Security Header Implementation

Knowing which security headers exist is only half the battle — the other half is knowing how to add them to your specific stack. The implementation syntax differs across frameworks:

  • Nginx: add_header directive in the server or location block
  • Express/Node: use the helmet package or res.setHeader() in middleware
  • Apache: Header set in .htaccess or httpd.conf (requires mod_headers)
  • Cloudflare Workers: modify headers in the Response object
  • Next.js: configure in next.config.js under the headers() function

This checklist provides copy-paste snippets for each framework so you can implement headers correctly without looking up syntax for each one.

Examples

Valid - Express (helmet)
import helmet from "helmet";
app.use(helmet());
Valid - Nginx snippet
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Valid - Next.js config
// next.config.js
headers: () => [{ source: "/**", headers: [...] }]

Frequently Asked Questions

Should I add security headers in the app or at the load balancer?

Prefer adding them at the reverse proxy or CDN layer (Nginx, Cloudflare, ALB). This applies headers to all responses (including static files and error pages) without touching application code. Application-level headers (e.g., via Helmet in Express) are also fine but require code changes and may miss edge cases.

What is the Helmet.js library?

Helmet is a popular Node.js middleware that sets many security headers in one line: app.use(helmet()). It configures HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and others. It also provides individual sub-modules for fine-grained control (e.g., helmet.contentSecurityPolicy()).

How do I verify my headers are set correctly?

Open browser DevTools → Network tab → select your page request → look at the Response Headers panel. Or use the curl -I https://yoursite.com command to view response headers in the terminal. For a comprehensive grade, use securityheaders.com.

💡 Tips

  • Start with the "easy wins": <code>X-Content-Type-Options: nosniff</code>, <code>X-Frame-Options: DENY</code>, and <code>Referrer-Policy: strict-origin-when-cross-origin</code> can be added in minutes.
  • Use the Helmet.js npm package for Node.js apps — it sets 10+ headers securely with sensible defaults in a single line.
  • After implementation, re-run your security scanner (Burp Suite, OWASP ZAP, or securityheaders.com) to confirm headers are delivered correctly.