HTTP Security Headers Explained
HSTS, CSP, X-Frame-Options, Referrer-Policy — what each header does, how to set it, and the grade it earns you.
Security headers are the cheapest defense you can add to a web application — they're a few lines of server config that tell browsers to enforce HTTPS, block XSS, and prevent clickjacking. Yet many sites still ship without them.
The 6 essential headers
1. Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for all future visits, preventing SSL strip attacks on public Wi-Fi:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
A max-age of 2 years (63,072,000 seconds) is the recommendation. Add preload once you're confident — it submits your domain to the HSTS preload list built into browsers.
2. Content-Security-Policy (CSP)
The most powerful header. CSP defines a whitelist of allowed content sources, blocking inline scripts and unauthorized external resources:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:
Start permissive (unsafe-inline) and tighten over time. A strict CSP eliminates most XSS vectors.
3. X-Frame-Options
Prevents your page from being embedded in an iframe — the classic clickjacking defense:
X-Frame-Options: SAMEORIGIN
Modern CSP frame-ancestors directive supersedes this, but keep both for older browsers.
4. Referrer-Policy
Controls how much referrer information is leaked when users click outbound links:
Referrer-Policy: strict-origin-when-cross-origin
This sends the full URL for same-origin requests but only the origin (not the path) for cross-origin HTTPS requests.
5. X-Content-Type-Options
Stops browsers from MIME-sniffing responses away from the declared Content-Type:
X-Content-Type-Options: nosniff
Without this, a user-uploaded text file might be rendered as HTML.
6. Permissions-Policy
Replaces the old Feature-Policy. Lets you disable browser APIs you don't use:
Permissions-Policy: camera=(), microphone=(), geolocation=()
Grading methodology
Security header analyzers grade sites A-F based on which headers are present and how well they're configured:
| Grade | Criteria |
|---|---|
| A | All 6 headers present, CSP is strict, HSTS has preload |
| B | 5+ headers, minor issues (no preload, permissive CSP) |
| C | 3-4 headers, missing CSP or HSTS |
| D | 1-2 headers only |
| F | No security headers |
Run the Security Headers Analyzer on any URL to get an instant A-F grade with actionable recommendations for each missing or misconfigured header.