Security Headers: Protecting Your Application at the HTTP Layer
HTTP security headers instruct browsers how to behave when handling your application's responses. They provide a low-cost, high-value layer of defence against common attacks. Many are simple to implement but frequently misconfigured or missing.
Key Security Headers
- Content-Security-Policy (CSP): Defines which sources can load scripts, styles, images, and other resources — significantly reduces XSS impact. Most complex to configure correctly but highest value.
- Strict-Transport-Security (HSTS): Forces browsers to use HTTPS for your domain for a specified period — prevents protocol downgrade attacks. Include in the HSTS preload list for maximum protection.
- X-Frame-Options / frame-ancestors CSP directive: Prevents your site from being embedded in iframes on other domains — defends against clickjacking attacks
- X-Content-Type-Options: nosniff: Prevents browsers from MIME-sniffing responses away from the declared content type
- Referrer-Policy: Controls how much referrer information is sent with requests — limits data leakage
- Permissions-Policy: Restricts which browser features (camera, microphone, geolocation) can be used — limits the impact of XSS
Testing Your Headers
You can test your security headers at securityheaders.com. We configure all security headers as part of our standard production deployment and include header validation in our pre-launch checklist.