What exactly do security headers do?
Every time a browser requests a web page, the server responds not only with HTML, but also with HTTP headers. These headers can include instructions for how the browser should behave.
Security headers tell the browser, for example, whether scripts from other domains are allowed, if the site may be embedded in an iframe, or how to handle potentially unsafe content.
Important security headers
- Content-Security-Policy (CSP)
Defines which sources (scripts, styles, images) are allowed. Protects against XSS. - Strict-Transport-Security (HSTS)
Forces HTTPS on future visits. Prevents downgrade attacks. - X-Content-Type-Options
Enforces the stated content type. Prevents MIME-sniffing. - X-Frame-Options
Prevents your site from being embedded in an iframe. Blocks clickjacking. - Referrer-Policy
Controls what referrer data is shared with other websites. - Permissions-Policy (formerly Feature-Policy)
Restricts browser APIs like camera or geolocation.
How to configure them
You can add security headers via your web server (Nginx, Apache) or through your hosting platform or CDN (like Netlify, Vercel, Cloudflare).
Example in Nginx:
add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "DENY"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
Always test your headers using tools like:
- securityheaders.com
- observatory.mozilla.org
Common mistakes
- Missing headers entirely
- Overly strict or too loose CSP rules
- Conflicts with third-party scripts (e.g. analytics, embeds)
Why it matters
Proper security headers prevent many threats before they happen. They offer a proactive baseline of defense, which you can combine with HTTPS, input validation, and monitoring.
Want to check how secure your headers are? Or need a solid starting setup? We're happy to help .