Security headers are a quick win for web application security. They instruct browsers to enable security features that protect users.
Essential Headers
| Content-Security-Policy | Prevents XSS, data injection |
| Strict-Transport-Security | Forces HTTPS |
| X-Frame-Options | Prevents clickjacking |
| X-Content-Type-Options | Prevents MIME sniffing |
| Referrer-Policy | Controls referrer information |
| Permissions-Policy | Controls browser features |
Nginx Configuration
server {
# HTTPS only
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# XSS Protection via CSP
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
# Clickjacking protection
add_header X-Frame-Options "SAMEORIGIN" always;
# MIME type sniffing
add_header X-Content-Type-Options "nosniff" always;
# Referrer
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Feature policy
add_header Permissions-Policy "geolocation=(), camera=()" always;
}Content Security Policy
# Strict CSP example
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-random123';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' fonts.gstatic.com;
connect-src 'self' api.example.com;
frame-ancestors 'none';Quick Test
Use securityheaders.com to grade your site's security headers. Aim for an A+ rating.
December 2024