Introduction
HTTP security headers tell browsers how to behave securely. This guide covers critical headers and how to add them in Nginx/Apache.
1. Strict-Transport-Security (HSTS)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" – forces HTTPS.
2. X-Frame-Options
X-Frame-Options: DENY – prevents clickjacking.
3. X-Content-Type-Options
X-Content-Type-Options: nosniff – stops MIME type sniffing.
4. X-XSS-Protection
X-XSS-Protection: 1; mode=block – legacy XSS filter.
5. Content-Security-Policy (CSP)
Content-Security-Policy: default-src 'self'; script-src 'self' – whitelist sources.
6. Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin – limits referrer leakage.
7. Permissions-Policy (formerly Feature-Policy)
Permissions-Policy: geolocation=(), microphone=() – disable browser features.
8. Cross-Origin-Resource-Policy (CORP)
Cross-Origin-Resource-Policy: same-origin – prevents cross‑origin reading.
9. Cross-Origin-Opener-Policy (COOP)
Cross-Origin-Opener-Policy: same-origin – isolates browsing context.
10. Cross-Origin-Embedder-Policy (COEP)
Cross-Origin-Embedder-Policy: require-corp – needed for cross‑origin isolation.
11. Adding Headers in Nginx
add_header X-Frame-Options "DENY" always;
12. Adding Headers in Apache
Header always set X-Frame-Options "DENY" (requires mod_headers).
13. Testing Your Headers
Use curl -I https://example.com and online scanners (securityheaders.io).
14. CSP Report-Only Mode
Start with Content-Security-Policy-Report-Only and collect violations.
15. Avoiding CSP Pitfalls
Use nonces or hashes instead of 'unsafe-inline' for scripts.
16. HSTS Preload List
Submit your domain to hstspreload.org after careful testing.
17. Combining Headers for A+ Rating
SecurityHeaders.io awards A+ when you implement CSP, HSTS, XFO, etc.
18. Dynamic Headers per Environment
Use different CSP policies for development vs production.
19. Monitoring CSP Violations
Set report-uri /csp-violations and log them.
20. Regular Review
Re‑evaluate headers as browser standards evolve.
Conclusion
Implement at least HSTS, XFO, and X‑Content‑Type‑Options. Add CSP gradually to avoid breaking your site.