Search 110+ free tools… (e.g. json, vpn, password) ⌘K
Link Tools Dereferer Hide Referrer Link URL Shortener Affiliate Cloaker PayPal Links PayPal DonationPayPal Links Privacy Tools Password Generator Cloudflare Resolver My Referrer Torrent Tools Magnet → Torrent Torrent → Magnet Torrent Editor Pirate Bay Proxies Movierulz Proxies ExtraTorrent Proxies Dev Tools Base64 Encoder Hash Generator HTTP Headers Disposable Email Checker Company Blog About Us Contact Anonymize Free
Tutorials

HTTP Security Headers Explained: Complete Guide (A-F Grade)

JAY
Author
Jun 4, 2026 · 2 min read · 0 views
HTTP Security Headers Explained: Complete Guide (A-F Grade)

HTTP security headers protect your website from XSS, clickjacking, data injection and more. Here is what each header does and how to get an A grade.

HTTP security headers are lines your web server adds to every response telling browsers how to behave when handling your content. They block entire categories of attacks — for free. Most sites have none of them configured.

Check Your Headers Now

Use Anonymiz HTTP Security Headers Checker to scan any domain and see which headers are present and which are missing. It grades your site from A to F.

The Essential Headers

Strict-Transport-Security (HSTS)

Forces browsers to only connect via HTTPS for a specified period. Prevents SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content-Security-Policy (CSP)

The most powerful header. Defines which sources of scripts, styles, images and other resources the browser is allowed to load. Blocks XSS attacks at the browser level.

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-xyz'

X-Frame-Options

Prevents your page from being embedded in an iframe on another site (clickjacking protection).

X-Frame-Options: DENY

X-Content-Type-Options

Stops browsers from MIME-sniffing responses. Prevents drive-by downloads disguised as a different content type.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls what referrer information is sent with outbound requests.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls access to browser features like camera, microphone, geolocation and payment APIs.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Headers in Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"

How to Add Headers in Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;

Getting an A Grade

To score an A on the security headers checker, you need at minimum: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Most shared hosting supports these via .htaccess or server config.

🔗
Free Dereferer Tool

Strip HTTP Referer headers from any link. Fully anonymous, zero logs, instant redirect.

Anonymize a Link Now →
# Tutorials
Share on X
Rate this article
Your rating is stored anonymously. You can rate once per post.
Written by
JAY
Writer at Anonymiz

Related Articles

How to Check HTTP Headers of Any Website
Jun 4, 2026 · JAY
Password Strength Checker: How to Test If Your Password Is Strong Enough
Jun 4, 2026 · JAY
Regex Cheat Sheet and Online Tester Guide
Jun 4, 2026 · JAY
← Back to Blog
🔔 Get notified when we add new tools
No spam · Unsubscribe anytime
Done!