Understanding security headers (HTTP)

Topic: Security basics

HTTP security headers tell browsers how to behave: HSTS, CSP, X-Frame-Options, and others reduce clickjacking, XSS, and protocol downgrade. Use this when hardening a web application or API so you know which headers to set and what they do.

Intent: How-to

Quick answer

  • Strict-Transport-Security (HSTS) forces HTTPS and prevents downgrade. Set max-age (e.g. 31536000); includeSubDomains and preload if all subdomains use HTTPS.
  • Content-Security-Policy (CSP) restricts where scripts and resources load from, reducing XSS. Start with default-src 'self'; add script-src, style-src as needed; test so legitimate content is not blocked.
  • X-Frame-Options DENY or SAMEORIGIN prevents clickjacking. X-Content-Type-Options nosniff prevents MIME sniffing. Set these in the web server or application response; verify with browser dev tools or security scanner.

Prerequisites

Steps

  1. HSTS

    Add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Only enable when all subdomains support HTTPS; submit to HSTS preload list for maximum effect.

  2. CSP

    Add Content-Security-Policy. Start with default-src 'self'; allow script and style from trusted domains only. Use report-uri or report-to for violations; tune until legitimate traffic is not blocked.

  3. Other headers

    X-Frame-Options: DENY or SAMEORIGIN. X-Content-Type-Options: nosniff. Referrer-Policy to limit referrer leakage. Permissions-Policy to disable unneeded browser features.

  4. Verify

    Check response headers in browser dev tools or curl. Use a scanner (e.g. securityheaders.com) to see grade and missing headers; fix and re-scan.

Summary

Set HSTS, CSP, X-Frame-Options, and X-Content-Type-Options to reduce downgrade, XSS, and clickjacking. Use this when hardening web apps and APIs.

Prerequisites

Steps

Step 1: HSTS

Add Strict-Transport-Security with max-age; use includeSubDomains and preload when all subdomains use HTTPS.

Step 2: CSP

Add Content-Security-Policy; start with default-src ‘self’ and allow only trusted sources for scripts and styles. Use report-uri; tune to avoid breaking the site.

Step 3: Other headers

Set X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy as appropriate.

Step 4: Verify

Check headers in dev tools or with a scanner; fix gaps and re-verify.

Verification

Security headers are present and correct; scanner grade improves; no legitimate traffic blocked by CSP.

Troubleshooting

CSP blocks legitimate resources — Add the correct source to the directive (e.g. script-src ‘self’ https://trusted-cdn.com). HSTS on subdomain without HTTPS — Enable HTTPS everywhere or do not use includeSubDomains.

Next steps

Continue to