Skip to main content
securityweb

HTTP Security Headers Explained

HSTS, CSP, X-Frame-Options, Referrer-Policy — what each header does, how to set it, and the grade it earns you.

Astound1 min read

Security headers are the cheapest defense you can add to a web application — they're a few lines of server config that tell browsers to enforce HTTPS, block XSS, and prevent clickjacking. Yet many sites still ship without them.

The 6 essential headers

1. Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS for all future visits, preventing SSL strip attacks on public Wi-Fi:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

A max-age of 2 years (63,072,000 seconds) is the recommendation. Add preload once you're confident — it submits your domain to the HSTS preload list built into browsers.

2. Content-Security-Policy (CSP)

The most powerful header. CSP defines a whitelist of allowed content sources, blocking inline scripts and unauthorized external resources:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:

Start permissive (unsafe-inline) and tighten over time. A strict CSP eliminates most XSS vectors.

3. X-Frame-Options

Prevents your page from being embedded in an iframe — the classic clickjacking defense:

X-Frame-Options: SAMEORIGIN

Modern CSP frame-ancestors directive supersedes this, but keep both for older browsers.

4. Referrer-Policy

Controls how much referrer information is leaked when users click outbound links:

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL for same-origin requests but only the origin (not the path) for cross-origin HTTPS requests.

5. X-Content-Type-Options

Stops browsers from MIME-sniffing responses away from the declared Content-Type:

X-Content-Type-Options: nosniff

Without this, a user-uploaded text file might be rendered as HTML.

6. Permissions-Policy

Replaces the old Feature-Policy. Lets you disable browser APIs you don't use:

Permissions-Policy: camera=(), microphone=(), geolocation=()

Grading methodology

Security header analyzers grade sites A-F based on which headers are present and how well they're configured:

GradeCriteria
AAll 6 headers present, CSP is strict, HSTS has preload
B5+ headers, minor issues (no preload, permissive CSP)
C3-4 headers, missing CSP or HSTS
D1-2 headers only
FNo security headers

Run the Security Headers Analyzer on any URL to get an instant A-F grade with actionable recommendations for each missing or misconfigured header.

AstoundPart of the Astound Dev Tools writing on developer tools.