Insight

Security headers, explained in plain English

What the common HTTP security headers actually do, which ones matter most, and how to tell whether your site is sending them.

Security headers are short instructions your server sends with every page that tell the browser how to behave safely. They are some of the cheapest security wins available: a few lines of configuration that close off whole categories of attacks. Here are the ones worth knowing.

Strict-Transport-Security (HSTS) tells browsers to only ever connect over HTTPS, even if someone types the plain http address. It prevents an attacker from quietly downgrading the connection. Set a long max-age and include subdomains once you are confident everything is on HTTPS.

Content-Security-Policy (CSP) is the most powerful and the most fiddly. It controls which sources the browser is allowed to load scripts, styles, and other resources from. A good CSP is the single best defense against cross-site scripting, because injected code simply has nowhere to run.

X-Content-Type-Options: nosniff stops the browser from guessing file types and accidentally executing something as a script. X-Frame-Options or a CSP frame-ancestors directive stops your site from being embedded in a hostile iframe and used for clickjacking. Referrer-Policy controls how much address information leaks when a visitor clicks away.

None of these require new infrastructure; they are configuration. The hard part is getting the CSP tight without breaking legitimate functionality, which is worth doing carefully rather than copying a policy off the internet.

To see which headers your site currently sends, run it through our free security header checker. It reports what is present, what is missing, and how strong each policy is, with no sign up.