What Are Security Headers

Security headers are HTTP response headers that a web server attaches to instruct the browser on security-related behavior. Proper configuration can significantly mitigate attacks such as XSS, clickjacking, and MIME sniffing.

Security headers are a "low-cost, high-return" measure - they require no code changes to the application itself and can be enabled through server or CDN configuration alone. However, incorrect settings (especially CSP) can break site functionality, so careful testing is essential.

Key Security Headers

Content-Security-Policy (CSP): Restricts the sources from which a page can load resources (scripts, styles, images, fonts, etc.). Blocking inline script execution significantly reduces XSS attacks. The most powerful header, but complex to configure and requires careful testing for existing sites.
Strict-Transport-Security (HSTS): Forces the browser to always use HTTPS for the domain. Prevents man-in-the-middle attacks that attempt to downgrade to HTTP. The includeSubDomains directive applies the policy to all subdomains, and preload enables inclusion in the browser's built-in HSTS list.
X-Content-Type-Options: Setting nosniff prevents the browser from guessing (sniffing) the MIME type. Blocks attacks that trick the browser into executing a text file as JavaScript.
X-Frame-Options: Controls whether the page can be embedded in an iframe. Setting DENY or SAMEORIGIN prevents clickjacking attacks. Being superseded by CSP's frame-ancestors directive.
Referrer-Policy: Controls how much referrer information is sent when navigating to another site. strict-origin-when-cross-origin is a balanced setting that sends only the origin for cross-origin requests.
Permissions-Policy: Controls access to browser features (camera, microphone, geolocation, etc.). Disabling unused features reduces the attack surface.

How to Configure Security Headers

Security headers are added through web server or reverse proxy configuration.

Nginx Configuration Example

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

CloudFront (AWS) Configuration

Use a Response Headers Policy to add security headers. This can be configured from the CloudFront console or CloudFormation without modifying the origin server.

Verification Tools

securityheaders.com: Enter a URL to get a grade (A+ to F) for your security header configuration. It also provides specific recommendations for missing headers.

Implementation Caveats and Priority Order

You don't need to implement all headers at once. A phased approach in the following priority order is recommended.

Implement Immediately (minimal side effects): X-Content-Type-Options, X-Frame-Options, Referrer-Policy
Implement Early (requires HTTPS): HSTS. Start with a short max-age and gradually extend it. Be cautious with the preload directive - once registered, removal is difficult.
Implement Carefully (requires testing): CSP. Start with Content-Security-Policy-Report-Only to collect violation reports without blocking. Gradually tighten the policy based on the reports.

After adding headers, always verify with securityheaders.com and browser developer tools. Pay special attention to CSP, as overly strict policies can break third-party scripts, ad delivery, and analytics.

To learn more about this topic, see HTTP Security Headers: 5 Essential Headers to Protect Your Website.

Common Misconceptions

HTTPS makes security headers unnecessary: HTTPS provides communication channel encryption but cannot prevent application-layer attacks like XSS and clickjacking. Security headers defend at a different layer than HTTPS, and both are needed together.
Security headers will break the page layout: X-Content-Type-Options and X-Frame-Options have virtually no side effects. The header most likely to affect display is CSP, but using Report-Only mode for pre-testing allows safe implementation.

Security Header