Question 1

What security headers should every website have?

Accepted Answer

Essential headers include: Content-Security-Policy (CSP) to prevent XSS, Strict-Transport-Security (HSTS) to enforce HTTPS, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options to prevent clickjacking, and Referrer-Policy to control referrer information. Each provides defense against specific attack vectors. See our complete HTTP security headers guide.

Question 2

How does Content-Security-Policy (CSP) work?

Accepted Answer

CSP is a whitelist-based policy that tells browsers which sources are allowed to load scripts, styles, images, and other resources. Directives like script-src, style-src, and img-src control each resource type. A well-configured CSP blocks inline scripts and external resources from untrusted origins, preventing XSS attacks. Learn about CSP report-only mode for testing.

Question 3

What is HSTS and why is it important?

Accepted Answer

HTTP Strict Transport Security (HSTS) instructs browsers to only access your site via HTTPS, preventing protocol downgrade attacks and cookie hijacking. The max-age directive specifies how long to remember this policy. includeSubDomains applies to all subdomains, and preload allows inclusion in browser preload lists for protection from the first visit. Read our complete HSTS guide.

Question 4

How do I prevent clickjacking attacks?

Accepted Answer

Use X-Frame-Options or CSP frame-ancestors to control whether your site can be embedded in iframes. X-Frame-Options: DENY prevents all framing. SAMEORIGIN allows framing only from your own origin. CSP frame-ancestors provides more granular control and is the modern replacement for X-Frame-Options. Read our X-Frame-Options vs CSP frame-ancestors comparison.

Question 5

What is the X-Content-Type-Options header?

Accepted Answer

X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing responses away from the declared Content-Type. This stops attackers from disguising malicious content (like scripts) as benign types (like images). Always include this header to ensure browsers respect your intended content types. See common security header misconfigurations and how to avoid them.

Question 6

How do I test my security headers configuration?

Accepted Answer

Use this tool to analyze your headers and get specific recommendations. Check for missing headers, weak configurations, and best-practice violations. Test both your main domain and subdomains. Remember that security headers work in layers - implement as many as possible for defense in depth. Troubleshoot security headers validation failures.

Security Headers Analyzer

Security Headers Analyzer - Free HTTP Security Header Checker

Example: Header Analysis Results

What You Can Analyze:

Security Checks Performed:

Need Help Implementing Security Headers?

Frequently Asked Questions

Explore More Tools

Password Strength Checker

Password Generator

CVE Vulnerability Search & Timeline

CWE Lookup Tool

CVSS Calculator

SystemLens

⚠️ Security Notice