HTTP security headers are response headers your web server sends with every page. They instruct the browser how to behave when handling your content — restricting which resources can be loaded, how your site can be framed, and what browser features are permitted. Correctly configured, they neutralise entire classes of attack without changing a single line of application code.
Why Security Headers Matter
Application firewalls and HTTPS encryption protect the transport layer, but they do nothing to prevent the browser from executing injected scripts, loading your site inside a malicious iframe, or leaking sensitive URLs to third-party analytics. Security headers close these browser-level gaps and are increasingly factored into automated security assessments and compliance audits.
Adding the headers costs almost nothing — typically a few lines in your server configuration — yet the protection they provide is significant. Organisations that score poorly on security header audits are considered lower-hanging fruit for automated scanners and targeted attacks.
The Major Security Headers at a Glance
| Header | Primary Purpose | Attack Mitigated |
|---|---|---|
Strict-Transport-Security | Force HTTPS connections | Protocol downgrade, SSL stripping |
Content-Security-Policy | Restrict resource loading origins | XSS, data injection, clickjacking |
X-Frame-Options | Control iframe embedding | Clickjacking |
X-Content-Type-Options | Prevent MIME type sniffing | MIME confusion attacks |
Referrer-Policy | Control Referer header content | Information leakage |
Permissions-Policy | Restrict browser feature access | Feature abuse, privacy violations |
Cross-Origin-Opener-Policy | Isolate browsing context | Cross-origin attacks, Spectre |
Cross-Origin-Embedder-Policy | Require CORS for embedded resources | Cross-origin data leaks |
Strict-Transport-Security (HSTS)
HSTS tells browsers to only connect to your site over HTTPS, even if the user typeshttp:// or follows an HTTP link. The browser caches the policy for the duration set in max-age and refuses plain HTTP connections for that period without contacting the server first.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThe includeSubDomains flag extends the rule to all subdomains. The preload flag signals eligibility for the browser preload list, which enforces HTTPS even before the first visit. Learn more in the HSTS header guide.
Content-Security-Policy (CSP)
CSP is the most powerful security header. It gives you fine-grained control over every category of resource the browser is allowed to load. By allowlisting only the origins you trust, you prevent injected scripts from running and stop attackers from exfiltrating data to rogue servers.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'CSP is complex to configure without breaking functionality. Start withContent-Security-Policy-Report-Only mode, review violation reports, and tighten the policy progressively. See the full CSP explainer for details.
X-Frame-Options
This header prevents your page from being embedded in a frame or iframe on another domain, blocking clickjacking attacks. DENY forbids all framing; SAMEORIGIN allows framing only by pages on the same origin.
X-Frame-Options: DENYNote that frame-ancestors in CSP provides more granular control and is the modern replacement. Keep X-Frame-Options for legacy browser compatibility.
X-Content-Type-Options
The only valid value for this header is nosniff. It prevents browsers from "sniffing" the MIME type of a response and treating it differently from the declaredContent-Type. Without this header, a browser might execute a JavaScript file served with a misleading content type.
X-Content-Type-Options: nosniffReferrer-Policy
When a user follows a link from your site to another, the browser sends a Refererheader containing the originating URL. Without a policy, full URLs including query strings can be leaked to third parties, potentially exposing user IDs, session tokens, or sensitive path segments.
Referrer-Policy: strict-origin-when-cross-originThe recommended value strict-origin-when-cross-origin sends only the origin (no path or query) on cross-origin requests and sends the full URL only for same-origin navigation.
Permissions-Policy
Formerly known as Feature-Policy, this header controls which browser features and APIs your site (and any embedded third-party iframes) are allowed to use. Disabling features like geolocation, microphone, and camera by default reduces the attack surface of embedded content and third-party scripts.
Permissions-Policy: geolocation=(), microphone=(), camera=()Cross-Origin-Opener-Policy (COOP)
COOP allows you to isolate your browsing context from other origins. When set tosame-origin, popups opened by your page cannot communicate back with it unless they are on the same origin. This prevents cross-origin attacks that exploit thewindow.opener reference and is required to enable certain performance features likeSharedArrayBuffer.
Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy (COEP)
COEP requires that every resource loaded by your page either comes from the same origin or explicitly opts in via CORS or CORP headers. Combined with COOP, it enables cross-origin isolation, which is required for high-resolution timers and Spectre mitigations. Set it torequire-corp once all your third-party resources support the necessary CORS headers.
Cross-Origin-Embedder-Policy: require-corpHow to Check Your Security Header Score
Several tools grade websites against their security header implementation:
- ShowDNS Security Headers Scanner — scans your domain and lists every present and missing security header with recommended values.
- ShowDNS HTTP Header Checker — inspect the raw response headers returned by any URL.
- securityheaders.com — assigns letter grades from F to A+ and provides remediation advice for each missing header.
An A+ score typically requires HSTS with a long max-age, a robust CSP, X-Frame-Options, nosniff, Referrer-Policy, and Permissions-Policy all correctly configured.
Frequently Asked Questions
Do security headers affect website performance?
Negligibly. Security headers add a few bytes to HTTP responses but have no meaningful impact on load times. HSTS can actually improve performance by eliminating HTTP-to-HTTPS redirect round-trips for returning visitors.
Which headers should I add first?
Start with the low-risk, high-reward headers: X-Content-Type-Options: nosniff,X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and Strict-Transport-Security with a short max-age. Add CSP last because it requires the most careful configuration.
Can I set security headers without server access?
Many CDNs (Cloudflare, Fastly, Vercel, Netlify) allow header injection via dashboard settings or configuration files, without requiring direct server access. Check your CDN or hosting provider's documentation for header configuration options.
Do security headers work with single-page applications?
Yes. Security headers are set at the HTTP response level, so they apply regardless of whether the page is server-rendered or a client-side SPA. For SPAs, you may need to adjustconnect-src and script-src in your CSP to allow API calls and dynamically loaded modules.