HTTP Security Headers Guide
HTTP security headers are server response directives that instruct browsers on how to behave when handling your site's content. Implementing them correctly is one of the highest-ROI security improvements available.
Strict-Transport-Securityhigh priorityForces browsers to always use HTTPS, preventing SSL stripping attacks and protocol downgrades.
Content-Security-Policyhigh priorityThe most powerful XSS defense — restricts which resources the browser can load on your page.
X-Frame-Optionshigh priorityPrevents your site from being embedded in iframes, blocking clickjacking (UI redressing) attacks.
X-Content-Type-Optionsmedium priorityPrevents browsers from MIME-sniffing responses away from the declared content type.
Referrer-Policymedium priorityControls how much referrer information is included when navigating away from your site.
Permissions-Policymedium priorityRestricts browser feature access (camera, mic, geolocation) for your page and embedded iframes.
Cross-Origin-Opener-Policymedium priorityIsolates your browsing context from cross-origin documents to prevent cross-origin attacks.
Cross-Origin-Resource-Policymedium priorityPrevents other origins from loading your resources, protecting against Spectre-based attacks.
Minimum Recommended Headers
Every production website should have at minimum:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src 'self'; ... X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=()