HTTP Security Headers Guide
Security headers are HTTP response headers that instruct the browser how to behave when handling your website's content. Missing headers leave your site open to clickjacking, cross-site scripting (XSS), MIME sniffing attacks, and information leakage. Most are a single line of configuration — but most websites still don't set them.
→ Check Your Security Headers FreeThe 6 most important security headers
| Header | Protects against | Priority |
|---|---|---|
| Strict-Transport-Security | SSL stripping, HTTP downgrade attacks | Critical |
| Content-Security-Policy | XSS, data injection, clickjacking | High |
| X-Frame-Options | Clickjacking attacks | High |
| X-Content-Type-Options | MIME type confusion attacks | Medium |
| Referrer-Policy | Leaking URLs to third parties | Medium |
| Permissions-Policy | Unauthorized use of camera, mic, geolocation | Medium |
What a fully secured response looks like
example.com — Security Headers
PASS Strict-Transport-Security: max-age=31536000; includeSubDomains
PASS Content-Security-Policy: default-src 'self'; ...
PASS X-Frame-Options: DENY
PASS X-Content-Type-Options: nosniff
PASS Referrer-Policy: strict-origin-when-cross-origin
Each header explained
Strict-Transport-Security (HSTS)
Tells browsers to always use HTTPS for your domain — even if the user types http://. Prevents SSL stripping attacks where an attacker intercepts the initial HTTP request before the HTTPS redirect happens.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- max-age — seconds to remember the HTTPS-only rule (1 year = 31536000)
- includeSubDomains — applies to all subdomains too
- preload — submit to browsers' built-in HSTS preload list
Content-Security-Policy (CSP)
The most powerful — and most complex — security header. Tells the browser which sources of scripts, styles, images and other content are allowed to load. Prevents XSS attacks by blocking inline scripts and unauthorized external scripts.
A safe starting point for a simple website:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; frame-ancestors 'none'
For sites using Google Analytics or other third-party scripts, add their domains to script-src. Use Content-Security-Policy-Report-Only during testing to log violations without blocking.
X-Frame-Options
Prevents your page from being embedded in an <iframe> on another domain. Without this, attackers can overlay your page invisibly and trick users into clicking buttons they can't see (clickjacking).
X-Frame-Options: DENY
Use SAMEORIGIN if you need to embed your own pages in iframes. Note: CSP's frame-ancestors directive supersedes this header in modern browsers, but both should be set for compatibility.
X-Content-Type-Options
Prevents browsers from "sniffing" the MIME type of a response. Without this, an attacker who can upload a file with a misleading extension can get the browser to execute it as a script.
X-Content-Type-Options: nosniff
Always set this. It's one line and has no downsides.
Referrer-Policy
Controls how much URL information is sent in the Referer header when a user navigates to another site. By default, browsers send the full URL — including any tokens, search terms or sensitive paths.
Referrer-Policy: strict-origin-when-cross-origin
This sends only the origin (no path) when navigating to a different domain, and the full URL within your own domain. A good balance between analytics and privacy.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation, payment) your page can use. Prevents third-party scripts embedded in your page from accessing these features without your knowledge.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
How to add security headers in common webservers
Caddy
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Monitor your security headers automatically
Security headers get removed when servers are updated, configurations are changed, or CDN rules are modified. masoSec checks your headers on a schedule and alerts you if any required header disappears or degrades.
→ Start Free Security Header MonitoringFrequently asked questions
Will adding CSP break my website?
A strict CSP can block inline scripts and third-party resources your site relies on. Start with Content-Security-Policy-Report-Only mode to log violations without breaking anything, then gradually tighten the policy.
Do security headers affect SEO?
Not directly. But Google's Chrome team uses security headers (especially HSTS and CSP) as quality signals, and a site marked "Not Secure" will see higher bounce rates. HTTPS and HSTS are confirmed ranking factors.
What is the X-XSS-Protection header?
An old header that enabled the browser's built-in XSS filter. It is deprecated and should not be used — modern browsers have removed it. Use a proper Content-Security-Policy instead.