What Are HTTP Security Headers?
HTTP security headers are special HTTP response headers sent by a web server to the browser. They instruct the browser on how to protect users from common web attacks such as cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks.
Properly configuring security headers is a cost-effective measure that can significantly improve a website's security with relatively little effort. The Kakunin-san security score feature lets you check the security header configuration of any site you connect to.
1. Content-Security-Policy (CSP)
CSP is one of the most important headers in modern web security. It strictly limits the sources from which a web page can load resources such as scripts, stylesheets, and images.
Attacks CSP Defends Against
- Cross-site scripting (XSS): Prevents execution of malicious scripts
- Data injection attacks: Blocks loading of unauthorized resources
- Clickjacking: Provides defense through frame and iframe control
Operating CSP
CSP allows you to specify permitted sources on a per-resource-type basis. For example, you can allow scripts only from your own site while permitting stylesheets from both your site and Google Fonts.
Using a nonce (one-time token) or hash, you can also safely allow inline scripts. Kakunin-san applies CSP with nonce attributes on every page.
2. Strict-Transport-Security (HSTS)
HSTS instructs the browser to always access a site over HTTPS.
Attacks HSTS Defends Against
- SSL stripping attacks: Man-in-the-middle attacks that exploit the HTTP-to-HTTPS redirect
- Protocol downgrade attacks: Attempts to force an unencrypted HTTP connection
How HSTS Works
Once a browser receives an HSTS header, it automatically converts all access to that domain to HTTPS for the specified duration (max-age). Adding the includeSubDomains directive extends this to subdomains, and registering with the HSTS preload list via the preload directive enforces HTTPS from the very first visit.
3. X-Frame-Options
This header controls whether a web page can be embedded within an <iframe> or <frame>. Its primary purpose is to defend against clickjacking — an attack that overlays a transparent iframe to trick users into performing unintended actions.
DENY: Prohibits all framingSAMEORIGIN: Allows framing only from the same origin
While CSP's frame-ancestors directive is now recommended as a more flexible alternative, it is advisable to also set X-Frame-Options for compatibility with older browsers.
4. X-Content-Type-Options
This header prevents the browser from performing MIME type sniffing — the behavior of ignoring the Content-Type header and guessing the content type.
- MIME type confusion attacks: Prevents attacks that trick the browser into executing a text file as a script
- Drive-by downloads: Prevents attacks that disguise malicious files as safe ones
The only valid value is nosniff. This forces the browser to strictly honor the MIME type declared in the Content-Type header.
5. Referrer-Policy
This header controls how much information is included in the Referer header during page navigation. It prevents sensitive data such as session IDs and search queries embedded in URLs from leaking to external sites.
no-referrer: Sends no Referer header at allstrict-origin-when-cross-origin: Sends the full URL for same-origin requests and only the origin for cross-origin requests (recommended)same-origin: Sends the Referer only for same-origin requests
How to Check Security Headers
- Use the Kakunin-san security score to view the status of key security headers at a glance
- Inspect response headers directly in the browser's developer tools (F12) under the Network tab
- Run
curl -I https://example.comfrom the command line
Summary
HTTP security headers are a fundamental yet powerful measure for strengthening website security. CSP and HSTS, in particular, are indispensable in modern web security. Site operators should configure these headers properly, and users should regularly check the security of the sites they visit using Kakunin-san.