Why HTTP Security Headers Matter
HTTP security headers are directives your web server sends with every response that tell browsers how to behave. They prevent XSS attacks, clickjacking, protocol downgrade attacks, and data leakage — all without changing a single line of your application code. Check your current headers: HTTP Headers Checker
The Essential Security Headers
1. Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS, even if the user types http:// in the address bar.
Correct value:Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
What each part means:
max-age=31536000— remember this for 1 year (in seconds)includeSubDomains— apply to all subdomains toopreload— submit to browser preload lists (HTTPS only, forever)
Common mistake: Setting too short a max-age (like 300) means browsers forget quickly and are vulnerable to downgrade attacks.
2. Content-Security-Policy (CSP)
The most powerful security header. Controls which resources (scripts, styles, images, fonts) the browser is allowed to load.
Strict example:Content-Security-Policy: default-src self; script-src self https://www.googletagmanager.com; style-src self unsafe-inline
Why CSP matters: Prevents XSS attacks by blocking inline scripts and scripts from untrusted sources.
3. X-Frame-Options
Prevents your site from being embedded in an iframe on another site, blocking clickjacking attacks.
Correct value:X-Frame-Options: SAMEORIGIN
Use DENY if your site should never be in any iframe, or SAMEORIGIN to allow your own iframes.
4. X-Content-Type-Options
Prevents browsers from guessing (MIME-sniffing) the content type of a response. This stops attacks where a file uploaded as an image is executed as JavaScript.
Correct value:X-Content-Type-Options: nosniff
This is always the correct value. There is no reason to use anything else.
5. Referrer-Policy
Controls how much referrer information is sent when users click links on your site.
Recommended value:Referrer-Policy: strict-origin-when-cross-origin
This sends the full URL for same-origin requests but only the origin for cross-origin requests. Full URLs can leak sensitive parameters.
6. Permissions-Policy
Controls which browser features (camera, microphone, geolocation) your site can use.
Restrictive example:Permissions-Policy: camera=(), microphone=(), geolocation=()
Implementation
Apache (.htaccess)
Use our .htaccess Generator to generate these rules automatically, or add manually:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Header always set X-Frame-Options "SAMEORIGIN"Header always set X-Content-Type-Options "nosniff"Header always set Referrer-Policy "strict-origin-when-cross-origin"
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";add_header X-Frame-Options "SAMEORIGIN";add_header X-Content-Type-Options "nosniff";
Test Your Headers
Use our HTTP Headers Checker to see exactly which security headers your site currently sends and which are missing.
