What are HTTP Security Headers?
HTTP Security Headers are response headers that tell browsers how to behave when handling your site's content. They protect against:
- XSS (Cross-Site Scripting): Content-Security-Policy prevents inline script execution
- Clickjacking: X-Frame-Options prevents your site from being embedded in iframes
- MITM Attacks: Strict-Transport-Security forces HTTPS connections
- MIME Sniffing: X-Content-Type-Options prevents browser content-type guessing
- Information Leakage: Referrer-Policy controls what info is sent to other sites
A website without proper security headers is vulnerable to multiple attack vectors, even if the code itself is secure.
Essential Security Headers Reference
Content-Security-Policy
Defines allowed sources for scripts, styles, images. Prevents XSS attacks.
Strict-Transport-Security
Forces HTTPS for specified duration. Prevents SSL stripping attacks.
X-Frame-Options
Controls iframe embedding. Prevents clickjacking attacks.
X-Content-Type-Options
Prevents MIME type sniffing. Should be set to "nosniff".
Referrer-Policy
Controls referrer information sent with requests. Protects user privacy.
Permissions-Policy
Controls browser features (camera, mic, geolocation). Reduces attack surface.