← Back to blog
Headers

HTTP Security Headers Explained: What They Are and How to Set Them

25 Mar 2026 7 min read

HTTP security headers are response headers that tell browsers how to handle your website's content. They are one of the easiest and most effective ways to protect your website against common attacks. Use our Security Headers Checker to see which ones you are missing.

Content-Security-Policy (CSP)

The most powerful security header. CSP controls which resources (scripts, styles, images) the browser is allowed to load. A strict CSP prevents Cross-Site Scripting (XSS) attacks by blocking inline scripts and unauthorized external resources.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

X-Frame-Options

Prevents your website from being embedded in an iframe on another site, which protects against clickjacking attacks.

X-Frame-Options: DENY
# or
X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Prevents browsers from MIME-sniffing the response content type. Without this, a browser might interpret a text file as JavaScript and execute it.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much referrer information is sent when navigating away from your site. Prevents leaking sensitive URL parameters to third parties.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your site can use. Restricting unused features reduces attack surface.

Permissions-Policy: camera=(), microphone=(), geolocation=()

Strict-Transport-Security (HSTS)

Forces browsers to only connect via HTTPS. See our SSL best practices guide for details.

How to add security headers

Add headers in your web server configuration:

# Nginx
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Apache
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Check your website now

Run a free security scan to see how your website scores on the topics covered in this article.

Free security scan →