What Are HTTP Security Headers and Why Do They Matter?
Every response your web server sends includes HTTP headers. Some of these headers are critical for security — they tell browsers how to behave and can prevent entire categories of attacks. Here's what you need to know.
Why security headers matter
When a browser loads a webpage, the server sends HTTP headers along with the content. These headers instruct the browser on security policies — like whether scripts can run, whether the page can be embedded in an iframe, and whether connections should always use HTTPS.
Without these headers, your site is vulnerable to:
- Cross-site scripting (XSS) — malicious scripts injected into your page
- Clickjacking — your site embedded in a hidden iframe to trick users
- MIME-type sniffing — browsers misinterpreting file types
- Protocol downgrade attacks — forcing HTTP instead of HTTPS
- Data leakage — referrer URLs exposing sensitive information
The 7 essential security headers
1. Strict-Transport-Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains Forces browsers to use HTTPS for all future requests to your domain. The max-age value (in seconds) tells the browser how long to remember this policy. One year (31536000 seconds) is standard.
2. Content-Security-Policy (CSP)
Content-Security-Policy: default-src 'self'; script-src 'self' The most powerful security header. CSP tells the browser exactly which sources are allowed to load scripts, styles, images, and other resources. A strict CSP can prevent almost all XSS attacks.
Start with a restrictive policy and add exceptions as needed. Use report-uri to monitor violations before enforcing.
3. X-Content-Type-Options
X-Content-Type-Options: nosniff Prevents browsers from MIME-type sniffing — guessing the content type of a response. Without this, a browser might interpret a text file as JavaScript and execute it.
4. X-Frame-Options
X-Frame-Options: DENY Prevents your site from being embedded in iframes on other domains. This blocks clickjacking attacks where an attacker overlays invisible UI elements on top of your legitimate page.
5. X-XSS-Protection
X-XSS-Protection: 1; mode=block Activates the browser's built-in XSS filter. While modern browsers have deprecated this in favor of CSP, it still provides defense in depth for older browsers.
6. Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin Controls how much referrer information is included when navigating away from your site. strict-origin-when-cross-origin sends the full URL for same-origin requests but only the origin for cross-origin requests — a good balance of privacy and functionality.
7. Permissions-Policy
Permissions-Policy: camera=(), microphone=(), geolocation=() Controls which browser features your site can access. By explicitly disabling features you don't use (camera, microphone, geolocation), you reduce the attack surface if your site is ever compromised.
How to check your headers
Use our HTTP Header Checker to instantly analyze any URL's security headers. It checks all 7 headers and scores your site out of 7.
You can also check headers manually using curl:
curl -I https://your-site.comHow to add security headers
Where you add these headers depends on your hosting setup:
- Cloudflare Pages — use a
_headersfile or Workers - Netlify — use a
_headersfile ornetlify.toml - Vercel — use
vercel.jsonheaders config - Nginx — use
add_headerdirectives - Apache — use
Header setin.htaccess
Check your site now
Enter your URL and get an instant security header score.
Open HTTP Header Checker