ruxox
Start
Start
← Back to blog

SECURITY HEADERS EXPLAINED: WHAT EVERY WEBSITE NEEDS IN 2026.

A practical guide to HTTP security headers — Content-Security-Policy, HSTS, X-Frame-Options, and more — with what each one does and how to configure it.

Security headers are HTTP response headers that tell browsers how to behave when handling your site's content. They're one of the highest-leverage, lowest-cost security improvements a website can make — and most sites still have them wrong or missing.

Why security headers matter

Browsers trust websites by default. Without explicit instructions, a browser will:

  • Execute any JavaScript included in page HTML (XSS vector)
  • Load your site inside an iframe on any other domain (clickjacking vector)
  • Guess content types for ambiguous files (MIME confusion vector)
  • Allow your site to be accessed over HTTP even when HTTPS is available
  • Send your full URL as a referrer header to third-party resources

Security headers close these default behaviours one by one.

Content-Security-Policy (CSP)

The most powerful and most complex security header. CSP tells the browser exactly which sources of content (scripts, styles, images, fonts, iframes) are allowed to load on your page.

What it prevents: Cross-site scripting (XSS) attacks that inject malicious scripts into your pages; data exfiltration via injected requests to attacker-controlled servers.

Basic example:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'

Practical guidance: Start with CSP in report-only mode (`Content-Security-Policy-Report-Only`) to see what would be blocked without breaking anything. Then tighten the policy based on the report. Never ship a CSP with `default-src *` — this defeats the purpose.

Strict-Transport-Security (HSTS)

What it does: Tells the browser to only ever connect to your site over HTTPS — never HTTP — for the duration specified.

What it prevents: SSL stripping attacks where an attacker intercepts your HTTP→HTTPS redirect and downgrades the connection.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Caution: Once set with a long `max-age`, removing HTTPS from your site will break it for returning visitors for the duration of the max-age. Set `preload` only after you're confident your site will remain HTTPS permanently.

X-Frame-Options

What it does: Controls whether your site can be embedded in an iframe on another domain.

What it prevents: Clickjacking — an attack where your site is loaded in a transparent iframe and the user is tricked into clicking on UI elements they can't see.

X-Frame-Options: DENY

Note: CSP's `frame-ancestors` directive supersedes X-Frame-Options in modern browsers. Set both for legacy browser compatibility.

X-Content-Type-Options

What it does: Prevents the browser from MIME-sniffing a response away from the declared content type.

What it prevents: MIME confusion attacks where an attacker uploads a file that's treated as a different, more dangerous type.

X-Content-Type-Options: nosniff

This is a one-liner with no downside. Set it everywhere.

Referrer-Policy

What it does: Controls how much URL information is included in the `Referer` header sent to third parties when users click links on your site.

What it prevents: Leaking sensitive URL parameters (session tokens, user IDs, search queries) to third-party analytics, CDN, or advertising partners.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

What it does: Restricts which browser features (camera, microphone, geolocation, payment) your site and its embedded iframes can use.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

How to check your current header score

Use our Website Security Checker to see which headers your site sets and which are missing. For Apache deployments, headers are set in `.htaccess`. For nginx, in the server block. For Cloudflare, in Transform Rules or Workers. Check our full guide at Cybersecurity Checklist for Small Business for the broader security picture.

FAQ

Common questions

How do I check what security headers my website has?

Use our Website Security Checker tool or visit securityheaders.com. Both tools show which headers are present, which are missing, and a letter-grade summary. You can also use curl: `curl -I https://yoursite.com` to see the raw response headers.

Will adding security headers break my website?

Content-Security-Policy is the most likely to break things — it blocks resources that don't match the policy, including inline scripts. Test CSP in 'report-only' mode first. Other headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are lower risk and unlikely to cause breakage.

Do security headers protect against all XSS attacks?

A strong CSP significantly reduces XSS risk by blocking inline script execution and restricting which origins scripts can load from. It doesn't eliminate XSS — a CSP that allows 'unsafe-inline' or 'unsafe-eval' provides much weaker protection. The strongest XSS protection is a nonce-based or hash-based CSP combined with input validation and output encoding in the application code.

Who is responsible for setting security headers?

Security headers are set at the server or CDN level, not in application code (with some exceptions). Your DevOps team, hosting provider, or CDN configuration (Cloudflare, Fastly, CloudFront) controls them. If you're on a managed platform (Shopify, WordPress.com), you may have limited control — check what customisation is available.

Work with us

Want a security review of your site?

We audit web applications for security vulnerabilities including misconfigured headers, XSS exposures, and other OWASP Top 10 risks.

Request a security audit
/ Topics
security headersweb securityHTTP security headerscontent security policytechnical SEO