Back to Blog
Security
2026-05-15

Security Headers Explained: What They Do and Why You Need Them

The Essential Security Headers


Each header targets a specific vulnerability:


Strict-Transport-Security (HSTS)

Tells browsers to only use HTTPS. Prevents protocol downgrade attacks and cookie hijacking. `max-age=31536000` with `includeSubDomains`.


Content-Security-Policy (CSP)

Controls which resources the browser can load. Prevents XSS by restricting script sources. `default-src 'self'; script-src 'self' 'unsafe-inline' https:trusted.cdn.com`


X-Content-Type-Options

Prevents MIME-type sniffing. `nosniff` stops browsers from interpreting files as different content types.


X-Frame-Options

Controls iframe embedding. `DENY` or `SAMEORIGIN` prevents clickjacking attacks.


Referrer-Policy

Controls referrer information sent with requests. `strict-origin-when-cross-origin` balances SEO with privacy.


Permissions-Policy

Controls browser feature access. Restrict camera, microphone, geolocation on non-essential pages.