Secure HTTP Headers: A Compact Guide

Secure HTTP Headers: A Compact Guide

Key headers harden your site against common web attacks. Use them consistently on all pages (including errors, assets, and redirects).

Core headers

• HSTS: force HTTPS for your domain and subdomains; consider preload.
• CSP: block inline code, allow scripts via nonces/hashes; isolate third‑party content; set frame‑ancestors.
• X-Content-Type-Options: nosniff to prevent MIME sniffing.
• Referrer-Policy: limit referrer data (e.g., strict-origin-when-cross-origin).
• Permissions-Policy: explicitly disable unused features (camera, mic, geolocation, etc.).

Rollout tips

• Start with Report-Only for CSP to collect violations.
• Serve headers on every route (HTML, API, static).
• Test with multiple browsers and tools; monitor reports.