Security Headers Explained

Content-Security-Policy (CSP)

Prevents inline scripts and restricts resource loading.

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com

Protects against XSS attacks and injection vulnerabilities.

X-Content-Type-Options

Prevents browsers from MIME-sniffing content.

X-Content-Type-Options: nosniff

Always serve correct content types.

X-Frame-Options

Controls whether your site can be embedded in iframes.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Protects against clickjacking attacks.

Strict-Transport-Security (HSTS)

Forces HTTPS connections.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Prevents downgrade attacks.

X-XSS-Protection

Legacy header for older browsers (largely replaced by CSP).

X-XSS-Protection: 1; mode=block

Referrer-Policy

Controls how much referrer information to share.

Referrer-Policy: strict-origin-when-cross-origin

Protects user privacy.

Permissions-Policy

Controls browser features (camera, microphone, geolocation).

Permissions-Policy: geolocation=(), camera=()

Implementation Tips

• Use security header tools to audit your site
• Start with moderate restrictions, increase gradually
• Test CSP in report-only mode first
• Monitor security header compliance
• Keep headers updated with new best practices

Common CSP Directives

• default-src: Fallback for all other directives
• script-src: JavaScript sources
• style-src: CSS sources
• img-src: Image sources
• font-src: Font sources
• connect-src: XHR, WebSocket, etc.