Skip to content
← All articles

Security Headers: The Complete Guide

Why Security Headers Matter

HTTP security headers are instructions for the browser that define security rules when interacting with your site. They protect against XSS, clickjacking, MITM, injection, and other attacks. Configuration takes minutes, and the effect is closing entire classes of vulnerabilities.

Check your current security headers using the Enterno.io Security Scanner.

Content-Security-Policy (CSP)

Content Security Policy is the most powerful security header. It defines where resources can be loaded from: scripts, styles, images, fonts, frames.

Basic Policy

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'

Key Directives

  • default-src — default policy for all resource types
  • script-src — where JavaScript can be loaded from
  • style-src — where CSS can be loaded from
  • img-src — where images can be loaded from
  • connect-src — where XHR/Fetch/WebSocket requests can be sent
  • frame-ancestors — who can embed your site in an iframe
  • base-uri — restricts the <base> tag
  • form-action — where forms can be submitted to

Recommendations

  • Start with Content-Security-Policy-Report-Only — it logs violations without blocking
  • Avoid 'unsafe-inline' and 'unsafe-eval' — they weaken XSS protection
  • Use nonce or hash for inline scripts: script-src 'nonce-abc123'

Strict-Transport-Security (HSTS)

HSTS forces the browser to use only SSL/TLS проверку for your domain. Even if a user types http://, the browser automatically switches to HTTPS without making an HTTP request.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age — duration in seconds (recommended 1 year = 31536000)
  • includeSubDomains — applies to all subdomains
  • preload — adds to browser HSTS preload lists

Caution: after enabling preload, rollback can take months. Start with a short max-age.

X-Frame-Options

Protects against clickjacking — an attack where your site is embedded in an invisible iframe on a malicious page.

X-Frame-Options: DENY
  • DENY — prohibit iframe embedding everywhere
  • SAMEORIGIN — allow embedding only from the same domain

Modern replacement: CSP frame-ancestors, but X-Frame-Options remains for compatibility.

X-Content-Type-Options

Prevents the browser from guessing MIME type (MIME SNI). Without this header, a browser may interpret an uploaded file as HTML/JavaScript even if the server sent it as text.

X-Content-Type-Options: nosniff

Always set this. There's no reason not to.

Referrer-Policy

Controls what referrer information is shared during navigation:

Referrer-Policy: strict-origin-when-cross-origin
  • no-referrer — never send referrer
  • same-origin — only for same-domain requests
  • strict-origin-when-cross-origin — full URL for same-origin, origin only for cross-origin, nothing for HTTPS→HTTP

Permissions-Policy

Controls access to browser API документацию: camera, microphone, geolocation, autoplay, and more. Replaces the deprecated Feature-Policy.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)

Empty parentheses () completely disable a feature. (self) allows it only for your domain.

Cross-Origin Headers

Cross-Origin-Opener-Policy (COOP)

Cross-Origin-Opener-Policy: same-origin

Isolates the window context. Prevents attacks via window.opener from cross-site windows.

Cross-Origin-Resource-Policy (CORP)

Cross-Origin-Resource-Policy: same-origin

Prevents other sites from loading your resources (protection against hot-linking and data leaks).

Cross-Origin-Embedder-Policy (COEP)

Cross-Origin-Embedder-Policy: require-corp

All loaded resources must explicitly allow cross-site usage. Required for SharedArrayBuffer and high-precision timers.

Full nginx Configuration Example

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'none'" always;

Checking Headers

Use the Enterno.io Security Scanner for a complete security header check. Also verify through the HTTP Checker — it shows all response headers from your server.

Summary

Security headers are the mandatory minimum protection for any website. Start with HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy — they're simple and safe. Then add CSP, starting in Report-Only mode. Permissions-Policy and Cross-Origin headers provide advanced protection.

Check your website right now

Check your site's security →
More articles: Security
Security
WAF Rules: Writing Effective Web Application Firewall Policies
16.03.2026 · 162 views
Security
Cookie Security Flags: HttpOnly, Secure, SameSite
14.03.2026 · 148 views
Security
Content Security Policy (CSP) — A Complete Configuration Guide
12.03.2026 · 126 views
Security
Rate Limiting Strategies for Web APIs and Applications
16.03.2026 · 156 views