What security headers do
HTTP security headers are instructions sent by a website with its response. They help the browser decide how to handle framing, content types, scripts, referrers, and encrypted connections. They do not fix insecure code by themselves, but they reduce avoidable browser-side risk.
Headers worth knowing
- Strict-Transport-Security tells browsers to prefer secure connections.
- X-Content-Type-Options helps prevent content sniffing.
- X-Frame-Options can reduce clickjacking exposure.
- Referrer-Policy controls how much URL information is sent to other sites.
- Content-Security-Policy can limit which scripts, frames, and resources a page may load.
Common mistakes
The biggest mistake is copying a strict policy without testing. A broken CSP can block scripts, analytics, login widgets, or payment pages. Start with clear goals, test in report-only mode when possible, and tighten gradually.
FAQ
Do headers replace a security review?
No. They are one layer. You still need secure coding, updates, access control, and monitoring.
Should every site use the same headers?
No. Good defaults help, but each site has different scripts, frames, APIs, and hosting needs.