Security headers instruct browsers to enforce policies that mitigate XSS, clickjacking, and other threats.
Essential headers
- Content-Security-Policy (CSP): Controls which resources can load.
- Strict-Transport-Security (HSTS): Force HTTPS for all connections.
- X-Frame-Options: Prevent clickjacking by blocking iframes.
- X-Content-Type-Options: Prevent MIME sniffing attacks.
- Referrer-Policy: Control how much referrer information is shared.
Implementation
- Configure headers in web server (Nginx, Apache, IIS).
- Test with browser dev tools and online scanners.
- Start with report-only mode for CSP to avoid breaking functionality.
Related Tools
Explore More Web Security
View all termsCross-Site Request Forgery (CSRF)
An attack that tricks a victim into submitting unauthorized requests using their authenticated session.
Read more →Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Read more →HTML Entity Encoding
A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.
Read more →HTTP Cookie
Small pieces of data stored by web browsers, used for session management, personalization, and tracking.
Read more →JSON Web Token (JWT)
A compact, URL-safe token format used to securely transmit claims between parties in web applications.
Read more →Subresource Integrity (SRI)
A security feature that allows browsers to verify that files from CDNs have not been tampered with.
Read more →