What are Security Headers?
Security headers are HTTP response headers that instruct browsers how to behave when handling a website's content, enhancing protection against common web vulnerabilities. These headers help prevent attacks like cross-site scripting (XSS), clickjacking, content injection, and protocol downgrade attacks. Properly configured security headers are essential for defense-in-depth security strategies.Essential Security Headers
Strict-Transport-Security (HSTS)
Forces HTTPS connections:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload- Prevents protocol downgrade attacks
- Blocks mixed content
- Protects against SSL stripping
Content-Security-Policy (CSP)
Controls resource loading:
Content-Security-Policy: default-src 'self'; script-src 'self' trusted.com; style-src 'self' 'unsafe-inline'- Prevents XSS attacks
- Controls script sources
- Blocks unauthorized resources
X-Frame-Options
Prevents clickjacking:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
- Blocks site from being framed
- Protects against UI redressing
X-Content-Type-Options
Prevents MIME sniffing:
X-Content-Type-Options: nosniff- Forces browser to respect declared Content-Type
- Prevents script injection via misinterpreted files
Additional Security Headers
| Header | Purpose | Example Value |
|---|---|---|
| X-XSS-Protection | XSS filter (legacy) | 1; mode=block |
| Referrer-Policy | Control referrer info | strict-origin-when-cross-origin |
| Permissions-Policy | Feature restrictions | geolocation=(), camera=() |
| Cross-Origin-Opener-Policy | Process isolation | same-origin |
| Cross-Origin-Embedder-Policy | Resource isolation | require-corp |
Implementation Examples
Nginx Configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'" always;
Apache Configuration
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Security Headers and Domain Health
Why Headers Matter for Domains
- Protect users visiting your domain
- Prevent domain reputation damage
- Meet compliance requirements
- Defend against common attacks
Testing Security Headers
Tools to verify implementation:
- securityheaders.com
- Mozilla Observatory
- SSL Labs
- Chrome DevTools Network tab
Best Practices
1. Start with HSTS: Essential for HTTPS enforcement
2. Implement CSP gradually: Begin with report-only mode
3. Test thoroughly: Headers can break functionality
4. Use preload lists: Submit to browser preload lists
5. Monitor violations: Use CSP reporting endpoints
6. Regular audits: Security requirements evolve
Common Grading Criteria
| Grade | Typical Requirements |
|---|---|
| A+ | All critical headers, HSTS preload |
| A | HSTS, CSP, X-Frame-Options, X-Content-Type |
| B | Some headers missing |
| C/D | Minimal security headers |
| F | No security headers |
Security headers represent a critical layer of web application security, providing browser-enforced protection that complements server-side security measures.