HTTP Security Headers: Protect Your Website

What Are HTTP Security Headers?

HTTP security headers are response headers that instruct browsers how to behave when handling your site's content. They add an extra layer of security by preventing common attacks like XSS, clickjacking, and MIME sniffing.

Essential Security Headers

1. Content-Security-Policy (CSP)

CSP controls which resources the browser is allowed to load. It's the most powerful defense against XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'

Key directives:

• default-src: Fallback for all resource types
• script-src: Allowed JavaScript sources
• style-src: Allowed CSS sources
• img-src: Allowed image sources
• connect-src: Allowed AJAX/WebSocket connections
• frame-src: Allowed iframe sources

2. Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS, preventing protocol downgrade attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age: How long to remember (in seconds). 1 year = 31536000
• includeSubDomains: Apply to all subdomains
• preload: Submit to browser preload list

3. X-Frame-Options

Prevents your site from being embedded in iframes (clickjacking protection).

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

4. X-Content-Type-Options

Prevents browsers from MIME-sniffing content types, reducing drive-by download attacks.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much referrer information is sent with requests.

Referrer-Policy: strict-origin-when-cross-origin

Options: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url

6. Permissions-Policy

Controls which browser features your site can use (camera, microphone, geolocation).

Permissions-Policy: camera=(), microphone=(), geolocation=(self)

Check Your Headers: HTTP Headers Checker

Use our HTTP Headers Checker to analyze your site's response headers and identify missing security protections.

Implementation Examples

Nginx

add_header Content-Security-Policy "default-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache (.htaccess)

Header always set Content-Security-Policy "default-src 'self'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Express.js

const helmet = require('helmet');
app.use(helmet());

Security Header Scoring

| Header | Impact | Priority | |--------|--------|----------| | Content-Security-Policy | High | Must have | | Strict-Transport-Security | High | Must have | | X-Frame-Options | Medium | Recommended | | X-Content-Type-Options | Medium | Recommended | | Referrer-Policy | Low | Nice to have | | Permissions-Policy | Low | Nice to have |

Tools for Testing and Development

• HTTP Headers Checker: Analyze response headers for any URL
• Header Analyzer: Detailed security header analysis
• API Tester: Test APIs and inspect responses
• HTTP Status Codes: Reference all HTTP status codes
• HTTP Methods: Reference HTTP methods (GET, POST, etc.)
• MIME Types: Look up content types by extension

Common Mistakes

1. CSP too restrictive: Blocking your own scripts or third-party services
2. Missing HSTS preload: Not submitting to the preload list after testing
3. X-Frame-Options + CSP conflict: Use frame-ancestors in CSP instead
4. Forgetting always in Nginx: Headers only sent on 200 responses without it

Conclusion

HTTP security headers are a critical defense layer. Test your headers with our HTTP Headers Checker and reference the HTTP Status Codes for complete API understanding.