HTTP Security Headers Explained
HTTP security headers are your first line of defense against common web attacks. This guide covers every security header, what it protects against, and recommended values for production.
Security Headers Generator
Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.
Strict-Transport-Security (HSTS)
X-Content-Type-Options
Always set to nosniff — no configuration needed.
X-Frame-Options
Referrer-Policy
Permissions-Policy
Content-Security-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
X-XSS-Protection
Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.
X-DNS-Prefetch-Control
X-Permitted-Cross-Domain-Policies
Security Score
COutput Format
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self) X-XSS-Protection: 0
Why security headers matter
Security headers instruct browsers to enable built-in security features: blocking XSS (CSP), preventing clickjacking (X-Frame-Options), forcing HTTPS (HSTS), and controlling information leakage (Referrer-Policy). Without them, browsers use permissive defaults that leave your users vulnerable. Adding security headers is one of the highest-impact, lowest-effort security improvements you can make.
Essential headers every site needs
At minimum, every website should set: Strict-Transport-Security (force HTTPS), X-Content-Type-Options: nosniff (prevent MIME sniffing), X-Frame-Options: DENY or SAMEORIGIN (prevent clickjacking), and Referrer-Policy: strict-origin-when-cross-origin (control referrer leakage). These four headers cover the most common attack vectors with minimal risk of breaking functionality.
Advanced headers for full protection
For maximum security, add: Content-Security-Policy (comprehensive XSS prevention), Permissions-Policy (restrict browser APIs), Cross-Origin-Opener-Policy (isolate browsing context), Cross-Origin-Embedder-Policy (control resource loading), and Cross-Origin-Resource-Policy (prevent cross-origin reads). These require more careful configuration but significantly raise the security bar.
Frequently Asked Questions
Which security headers are most important?
HSTS, Content-Security-Policy, and X-Content-Type-Options are the most critical. HSTS prevents downgrade attacks, CSP prevents XSS, and X-Content-Type-Options prevents MIME-type confusion attacks. Together they address the majority of common web vulnerabilities.
Can security headers break my website?
Yes, if misconfigured. CSP is the most likely to cause issues — overly restrictive policies can block legitimate scripts, styles, or images. Start with CSP in report-only mode (Content-Security-Policy-Report-Only) to identify what would be blocked before enforcing.
How do I test my security headers?
Use browser DevTools (Network tab → response headers), online scanners like securityheaders.com, or curl -I to inspect headers. Test in staging before production, especially for CSP changes.