Security
2026-05-15Security Headers Explained: What They Do and Why You Need Them
The Essential Security Headers
Each header targets a specific vulnerability:
Strict-Transport-Security (HSTS)
Tells browsers to only use HTTPS. Prevents protocol downgrade attacks and cookie hijacking. `max-age=31536000` with `includeSubDomains`.
Content-Security-Policy (CSP)
Controls which resources the browser can load. Prevents XSS by restricting script sources. `default-src 'self'; script-src 'self' 'unsafe-inline' https:trusted.cdn.com`
X-Content-Type-Options
Prevents MIME-type sniffing. `nosniff` stops browsers from interpreting files as different content types.
X-Frame-Options
Controls iframe embedding. `DENY` or `SAMEORIGIN` prevents clickjacking attacks.
Referrer-Policy
Controls referrer information sent with requests. `strict-origin-when-cross-origin` balances SEO with privacy.
Permissions-Policy
Controls browser feature access. Restrict camera, microphone, geolocation on non-essential pages.