HTTP Security Headers Explained: Complete Checklist

Why Security Headers Matter

HTTP security headers are your first line of defense against common web attacks. They instruct browsers to enable built-in security features that protect your users.

Essential Security Headers Checklist

1. Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS for all future requests to your domain.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2. Content-Security-Policy (CSP)

Controls which resources can be loaded on your page.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

3. X-Frame-Options

Prevents your site from being embedded in iframes (clickjacking protection).

X-Frame-Options: DENY

4. X-Content-Type-Options

Prevents browsers from MIME-sniffing responses.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much referrer information is sent with requests.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features can be used (formerly Feature-Policy).

Permissions-Policy: geolocation=(), microphone=(), camera=()

How to Implement

Add these headers to your web server configuration (Nginx, Apache) or through your application framework.

Test Your Headers

Use our free security headers scanner to check your implementation and get a security score.