Why Security Headers Matter
HTTP security headers are your first line of defense against common web attacks. They're free, they take minutes to configure, and they block entire classes of vulnerabilities.
Yet over 70% of websites are missing critical security headers. Here's every header you need and how to set them up.
Essential Headers
Content-Security-Policy (CSP)
CSP prevents Cross-Site Scripting (XSS) by controlling which resources the browser is allowed to load.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'What it does: Only allows scripts from your own domain. Blocks inline scripts (the primary XSS vector). Controls where images, fonts, and styles can load from.
Start strict, loosen as needed. Begin with default-src 'self' and add exceptions for legitimate third-party resources.
Strict-Transport-Security (HSTS)
Forces HTTPS connections. Once a browser sees this header, it will never make an HTTP request to your domain.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadCritical: Set max-age to at least 1 year (31536000 seconds). Include includeSubDomains to protect all subdomains. Submit to the HSTS preload list for maximum protection.
X-Frame-Options
Prevents clickjacking by controlling whether your site can be embedded in iframes.
X-Frame-Options: DENYUse DENY unless you specifically need iframe embedding, in which case use SAMEORIGIN.
X-Content-Type-Options
Prevents MIME-type sniffing attacks.
X-Content-Type-Options: nosniffAlways set this. There's no downside.
Referrer-Policy
Controls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-originThis sends the origin (domain) but not the full URL path when navigating to other sites.
Permissions-Policy
Controls which browser features your site can use (camera, microphone, geolocation, etc.).
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()Disable every feature you don't use. This limits what an attacker can do even if they find an XSS vulnerability.
Advanced Headers
Cross-Origin-Opener-Policy (COOP)
Cross-Origin-Opener-Policy: same-originIsolates your browsing context. Prevents other sites from gaining a reference to your window object.
Cross-Origin-Resource-Policy (CORP)
Cross-Origin-Resource-Policy: same-originPrevents other sites from loading your resources. Protects against Spectre-type side-channel attacks.
Cross-Origin-Embedder-Policy (COEP)
Cross-Origin-Embedder-Policy: require-corpRequired for features like SharedArrayBuffer. Ensures all loaded resources have explicit CORP/CORS headers.
Testing Your Headers
Don't guess — scan. Tools like VulnScan.pro automatically check all security headers and grade your configuration against OWASP best practices.
Common mistakes:
Quick Implementation
Nginx:
add_header Content-Security-Policy "default-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Next.js (next.config.js):
const securityHeaders = [
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
];The Bottom Line
Security headers take 30 minutes to set up and block entire categories of attacks for free. There's no excuse not to have them.
Check your headers now. Run a Quick Scan and see exactly what's missing.