Secure HTTP Headers: A Compact Guide

Key headers harden your site against common web attacks. Use them consistently on all pages (including errors, assets, and redirects).

Core headers

• HSTS: force HTTPS for your domain and subdomains; consider preload.
• CSP: block inline code, allow scripts via nonces/hashes; isolate third-party content; set frame-ancestors.
• X-Content-Type-Options: nosniff to prevent MIME sniffing.
• Referrer-Policy: limit referrer data (e. g., strict-origin-when-cross-origin).
• Permissions-Policy: explicitly disable unused features (camera, mic, geolocation, etc.).

Rollout tips

• Start with Report-Only for CSP to collect violations.
• Serve headers on every route (HTML, API, static).
• Test with multiple browsers and tools; monitor reports.

In brief

Set the core security headers: HSTS, CSP, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

5-minute checklist

• Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
• Content-Security-Policy: default-src 'self'; …
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: camera=(), microphone=(), geolocation=()

Further reading

• securityheaders.com
• Mozilla Observatory