Search 110+ free tools… (e.g. json, vpn, password) ⌘K
Link Tools Dereferer Hide Referrer Link URL Shortener Affiliate Cloaker PayPal Links PayPal DonationPayPal Links Privacy Tools Password Generator Cloudflare Resolver My Referrer Torrent Tools Magnet → Torrent Torrent → Magnet Torrent Editor Pirate Bay Proxies Movierulz Proxies ExtraTorrent Proxies Dev Tools Base64 Encoder Hash Generator HTTP Headers Disposable Email Checker Company Blog About Us Contact Anonymize Free
Tutorials

HTTP Security Headers Explained: Complete Guide (A-F Grade)

JAY
Author
Jun 4, 2026 · 2 min read · 74 views
HTTP Security Headers Explained: Complete Guide (A-F Grade)

HTTP security headers protect your website from XSS, clickjacking, data injection and more. Here is what each header does and how to get an A grade.

HTTP security headers are lines your web server adds to every response telling browsers how to behave when handling your content. They block entire categories of attacks — for free. Most sites have none of them configured.

Check Your Headers Now

Use Anonymiz HTTP Security Headers Checker to scan any domain and see which headers are present and which are missing. It grades your site from A to F.

The Essential Headers

Strict-Transport-Security (HSTS)

Forces browsers to only connect via HTTPS for a specified period. Prevents SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content-Security-Policy (CSP)

The most powerful header. Defines which sources of scripts, styles, images and other resources the browser is allowed to load. Blocks XSS attacks at the browser level.

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-xyz'

X-Frame-Options

Prevents your page from being embedded in an iframe on another site (clickjacking protection).

X-Frame-Options: DENY

X-Content-Type-Options

Stops browsers from MIME-sniffing responses. Prevents drive-by downloads disguised as a different content type.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls what referrer information is sent with outbound requests.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls access to browser features like camera, microphone, geolocation and payment APIs.

Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Headers in Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"

How to Add Headers in Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;

Getting an A Grade

To score an A on the security headers checker, you need at minimum: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Most shared hosting supports these via .htaccess or server config.

🔒
SSL Certificate Checker

Check any domain SSL certificate expiry, chain validity and security grade instantly.

Check SSL Certificate →
# Tutorials
Share on X
Rate this article
Your rating is stored anonymously. You can rate once per post.
Written by
JAY
JAY founded Anonymiz in 2013 and has personally built and maintained every one of its 110+ privacy and web utility tools since — from the referrer-stripping dereferer engine to the DNS leak and WebRTC leak testers. All technical infrastructure, tool logic, and site content are handled directly, with

Related Articles

Pirate Bay Proxy List 2026: Working TPB Mirror Sites Updated Daily
Jul 4, 2026 · JAY
Certificate Key Matcher: How to Check If Your SSL Certificate Matches Its Private Key
Jul 3, 2026 · JAY
How to Check HTTP Headers of Any Website
Jun 4, 2026 · JAY
← Back to Blog
Done!