HTTP Security Headers Explained: Complete Checklist

The Headers That Actually Matter

There are dozens of HTTP headers that touch security in some way, but only a handful are critical. Here's the list you should care about, in rough order of importance.

Strict-Transport-Security (HSTS)

This one's simple: it tells browsers to always use HTTPS for your domain. Once a browser sees this header, it won't even attempt an HTTP connection — it upgrades automatically.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The max-age is in seconds — 31536000 is one year. includeSubDomains covers everything under your domain. preload lets you submit your domain to browser preload lists so HTTPS is enforced from the very first visit, not just subsequent ones.

If you're running HTTPS (and you should be), there's no reason not to set this.

Content-Security-Policy (CSP)

The most powerful — and most complex — security header. It controls which resources can load on your page: scripts, styles, images, fonts, frames, everything.

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'

Getting CSP right takes effort. Start with report-only mode, collect data on what your site actually loads, then build your policy from there. A badly configured CSP that uses unsafe-inline everywhere isn't much better than no CSP at all.

X-Frame-Options

Prevents other sites from embedding yours in an iframe. This blocks clickjacking attacks, where an attacker overlays invisible iframes to trick users into clicking things they didn't intend to.

X-Frame-Options: DENY

Use DENY unless you specifically need your site to be embeddable (in which case use SAMEORIGIN). Note that CSP's frame-ancestors directive does the same thing and is more flexible, but X-Frame-Options is still worth setting for older browser support.

X-Content-Type-Options

Browsers sometimes try to be "helpful" by guessing the content type of a response, ignoring what the server says. This is called MIME sniffing, and it can turn a harmless-looking file into an executable script.

X-Content-Type-Options: nosniff

One header, one value, zero configuration. Just set it.

Referrer-Policy

Controls how much URL information gets sent to other sites when users click links or your page loads external resources. Without this, the full URL — including query parameters that might contain tokens or user data — gets leaked.

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL for same-origin requests (useful for your own analytics) but only the origin for cross-origin ones. Good balance between functionality and privacy.

Permissions-Policy

Lets you disable browser features you don't use — geolocation, camera, microphone, payment API, and others. If your site doesn't need them, turn them off so they can't be abused by injected scripts or third-party embeds.

Permissions-Policy: geolocation=(), microphone=(), camera=()

The empty parentheses mean "nobody gets to use this, not even my own page." Adjust as needed if you actually use these APIs.

Where to Set Them

Add these to your web server config — Nginx, Apache, Caddy, whatever you're running. You can also set them at the application level, but server config is generally cleaner since it applies globally. If you're behind a CDN like Cloudflare, you can set some of these there too.