Website security guide What Are HTTP Security Headers?HTTP security headers tell browsers how to handle your website more safely. They help reduce common risks such as clickjacking, content injection, MIME sniffing, unsafe referrers and weak transport protection. Can content be injected? Content Security Policy helps restrict where scripts, images, frames and other resources may load from. Can pages be framed? Frame controls help reduce clickjacking by limiting which sites may embed your pages. Is transport enforced? HSTS helps browsers use HTTPS and avoid accidental downgrade to plain HTTP. Header Outcome Small Server Settings, Real Browser ProtectionSecurity headers are sent by the web server and enforced by the browser before or while a page is rendered. Restrict Limit trusted resource sources. Enforce Require HTTPS connections. Isolate Reduce cross-origin risk. Document Show technical security checks.
What Is an HTTP Security Header?HTTP headers are metadata sent with web requests and responses. Security headers are response headers that tell the browser which behavior is allowed, which behavior should be blocked and how the site expects content to be handled. They are not a replacement for secure coding, patching, access control or vulnerability scanning. They are a defensive layer that can reduce the impact of common web security mistakes and make exploitation harder. Browser RulesTell browsers how to handle content, frames, referrers, features and transport security. Server ControlledHeaders are normally configured in the web server, reverse proxy, CDN or application framework. Defense in DepthHeaders help reduce risk even when application code or third-party content has weaknesses. AuditableHeader checks are easy to test and document during web security reviews. Important HTTP Security Headers TodayThese are the main security headers organizations should understand when hardening modern websites and web applications. Content-Security-PolicyCSP helps restrict which sources can load scripts, styles, images, fonts, frames and other resources. It is one of the strongest browser-side defenses against content injection and XSS impact. Strict-Transport-SecurityHSTS tells browsers to use HTTPS for future requests to the site. It helps reduce downgrade and accidental plain-HTTP access after the browser has seen the policy. X-Content-Type-OptionsUsing X-Frame-Options and frame-ancestorsThese controls help reduce clickjacking. Modern sites often use the CSP Referrer-PolicyReferrer-Policy controls how much URL information is shared when users navigate away from the site or load third-party resources. Permissions-PolicyPermissions-Policy controls access to browser features such as camera, microphone, geolocation, payment, fullscreen and other powerful capabilities. Recommended Starting Values for Security HeadersThese examples are practical starting points. Test them before production use, because some websites need additional trusted domains for scripts, fonts, analytics, payments, videos, chat widgets or APIs. Content-Security-PolicyStart restrictive, then add only the sources your website really needs.
Strict-Transport-SecurityUse after confirming HTTPS works correctly for the site and subdomains.
X-Content-Type-OptionsPrevent MIME type sniffing where browsers try to guess file types.
Frame ProtectionUse CSP frame-ancestors, and optionally X-Frame-Options for compatibility.
Referrer-PolicyReduce unnecessary URL leakage while keeping useful referrer behavior.
Permissions-PolicyDisable powerful browser features unless the website explicitly needs them.
Cross-Origin-Opener-PolicyHelps isolate browsing contexts from cross-origin windows.
Cross-Origin-Resource-PolicyRestrict who can load your resources from other origins.
Cache-Control for Sensitive PagesUse stricter cache controls for logged-in pages, account pages and sensitive data.
Reporting-EndpointsOptional. Use with CSP reporting if you have a reporting endpoint to collect violations.
Cross-Origin and Isolation HeadersModern web applications often load content from many origins. These headers help control how documents, resources and windows interact across origins. Cross-Origin-Opener-PolicyCOOP can isolate a browsing context from other origins and reduce risks from cross-origin window interactions. Cross-Origin-Embedder-PolicyCOEP controls whether a document can load cross-origin resources unless those resources explicitly allow it. Cross-Origin-Resource-PolicyCORP lets a resource declare which origins are allowed to include it, helping protect resources from unwanted cross-origin use. CORS Is DifferentCross-Origin Resource Sharing uses headers such as Outdated or Deprecated Header AdviceSome older security headers still appear in legacy articles, scanners and server configurations. They should be understood carefully before being recommended. Public-Key-PinsHPKP is obsolete and should not be recommended for new deployments. Misconfiguration could lock users out of a site. X-XSS-ProtectionThis legacy browser XSS filter header is deprecated. Modern sites should focus on CSP, output encoding and secure coding instead. Feature-PolicyFeature-Policy was replaced by Permissions-Policy. Existing configurations should be reviewed and updated where appropriate. Example Security Header BaselineThe right values depend on the application. Test carefully before enforcing strict policies, especially CSP and cross-origin isolation headers. Copy-Paste Header Starting Point
Nginx NoteIn Nginx, headers are commonly added with
Apache NoteIn Apache, headers are commonly added with
Do Not Copy BlindlyA CSP that is too strict can break a site. A policy that is too loose may add little value. Build, test, monitor and refine. Cache-Control Depends on ContentUse strict cache controls for sensitive pages. Public static assets may need different caching for performance. Common Security Header MistakesHeaders can improve security, but incorrect configuration can create false confidence or break important functionality. Missing CSPWithout CSP, the browser has fewer restrictions if content injection becomes possible. Overly Broad SourcesA policy allowing too many third-party sources may not meaningfully reduce risk. Broken Third-Party ContentStrict policies can block analytics, payment scripts, fonts, videos or chat widgets if they are not planned correctly. No HTTPS EnforcementSites that support HTTPS should consider HSTS after confirming HTTPS is correctly configured. Legacy Header DependenceDepending on obsolete headers instead of modern controls can leave a site weaker than expected. No RetestingHeaders should be retested after CMS changes, CDN updates, framework changes and new third-party integrations. How SecPoint® Helps Check Security HeadersSecPoint® Penetrator™ and Cloud Penetrator™ can help identify missing or weak security headers as part of vulnerability scanning and web exposure review. Website ChecksReview public websites and web applications for missing security header controls. TLS ReviewCombine header checks with SSL/TLS configuration review for public web targets. Clear ReportsUse findings to support remediation, customer communication and security project documentation. Recurring ScansRetest after changes and track whether web security hardening improves over time. HTTP Security Header QuestionsThese questions help teams review security headers without relying on outdated checklists. Do Security Headers Stop All Web Attacks?No. Headers reduce specific browser-side risks, but they do not replace secure coding, patching, access control, input validation, authentication review or vulnerability scanning. Which Header Should Be Implemented First?Most sites should review HTTPS, HSTS, X-Content-Type-Options, Referrer-Policy, frame protections and CSP. CSP usually needs the most testing because it can block legitimate scripts and resources. Should Every Website Use the Same Policy?No. A static website, SaaS platform, e-commerce shop, customer portal and API documentation site may need different policies based on content, scripts, integrations and user data. Why Do Header Scanners Give Different Results?Tools may score headers differently. Some check for presence only, while better reviews consider whether the policy is strict, relevant and compatible with the application. Can a CDN Add Security Headers?Yes, many CDNs and reverse proxies can add or rewrite headers. Teams should verify that final browser responses contain the expected headers after CDN, proxy and application processing. How Often Should Headers Be Retested?Retest after application releases, CMS changes, CDN changes, new third-party scripts, payment integrations, authentication changes and server migrations. Check Your Website Security HeadersTalk to SecPoint® about web vulnerability scanning, missing security headers, TLS review, public exposure checks and practical remediation reporting. |