HTTP security headers are response headers that instruct the browser to enable built-in defences against common web attacks: protocol downgrade, cross-site scripting, clickjacking, MIME sniffing and information leakage. Setting them correctly is one of the cheapest, highest-leverage hardening steps for any site.
How it works
Each header is sent by your server or CDN on every HTTP response. The browser
reads the header value and adjusts its behaviour — for example, Strict-Transport-Security
makes the browser remember to use HTTPS, and X-Content-Type-Options: nosniff
stops it from guessing a resource’s content type. This reference lists the
practical security headers, the value you should ship in production, and the
specific attack each one mitigates. Search by name or by keyword such as
clickjacking, mime, or https.
Recommended baseline
A solid hardened set looks like this — adapt the CSP allow-list to your assets:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
X-Frame-Options: DENY
What each header does
Strict-Transport-Security (HSTS)
Tells the browser to only ever contact this site over HTTPS, even if the user types http:// or follows a plain-HTTP link. max-age is the number of seconds to remember this; two years is the recommendation for sites ready to commit. includeSubDomains extends the policy to every subdomain, and preload opts the domain into browser vendor preload lists so the rule is applied even on the very first visit.
Content-Security-Policy (CSP)
The most powerful and most complex header. It defines exactly which origins may supply scripts, styles, images, fonts, and frames. default-src 'self' blocks everything not explicitly listed; object-src 'none' eliminates Flash and plugin injection; frame-ancestors 'none' prevents your pages from being embedded — a more flexible replacement for X-Frame-Options. Always deploy in report-only mode first to collect violations before you enforce.
X-Content-Type-Options: nosniff
Stops browsers from guessing a response’s content type. Without it, a browser might interpret a server-returned image as JavaScript if the content looks like a script. With nosniff, the declared Content-Type is final, blocking a class of MIME-confusion attacks.
Referrer-Policy
Controls how much of the current URL is sent in the Referer header when a user navigates away. strict-origin-when-cross-origin sends the full path for same-origin requests (useful for analytics) but sends only the origin for cross-origin ones, preventing sensitive path components from leaking to third-party domains.
Permissions-Policy
Governs access to browser features like camera, microphone, geolocation, and payment APIs on a per-origin basis. An empty allow-list () disables the feature for all origins including your own, which is appropriate for any feature your site does not use.
Notes and tips
Deploy Content-Security-Policy in report-only mode first to avoid breaking
legitimate resources. The Permissions-Policy syntax uses an allow-list of
origins per feature, where an empty list () disables the feature for everyone.
Avoid the deprecated X-XSS-Protection (set it to 0) and Public-Key-Pins
(removed from browsers). Header name casing is irrelevant for HTTP/1.1 but the
directive values are case-sensitive for tokens like nosniff and DENY.