Secure HTTP Headers: A Compact Guide
Key headers harden your site against common web attacks. Use them consistently on all pages (including errors, assets, and redirects).
Core headers
- HSTS: force HTTPS for your domain and subdomains; consider preload.
- CSP: block inline code, allow scripts via nonces/hashes; isolate third-party content; set frame-ancestors.
- X-Content-Type-Options: nosniff to prevent MIME sniffing.
- Referrer-Policy: limit referrer data (e. g., strict-origin-when-cross-origin).
- Permissions-Policy: explicitly disable unused features (camera, mic, geolocation, etc.).
Rollout tips
- Start with Report-Only for CSP to collect violations.
- Serve headers on every route (HTML, API, static).
- Test with multiple browsers and tools; monitor reports.
In brief
Set the core security headers: HSTS, CSP, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
5-minute checklist
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadContent-Security-Policy: default-src 'self'; …X-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera=(), microphone=(), geolocation=()
Further reading