Security

Security Headers: The Complete Guide

Published: 14.03.2026 · 4 min read · 16 views

Why Security Headers Matter

HTTP security headers are instructions for the browser that define security rules when interacting with your site. They protect against XSS, clickjacking, MITM, injection, and other attacks. Configuration takes minutes, and the effect is closing entire classes of vulnerabilities.

Check your current security headers using the Enterno.io Security Scanner.

Content-Security-Policy (CSP)

CSP is the most powerful security header. It defines where resources can be loaded from: scripts, styles, images, fonts, frames.

Basic Policy

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'

Key Directives

default-src — default policy for all resource types
script-src — where JavaScript can be loaded from
style-src — where CSS can be loaded from
img-src — where images can be loaded from
connect-src — where XHR/Fetch/WebSocket requests can be sent
frame-ancestors — who can embed your site in an iframe
base-uri — restricts the <base> tag
form-action — where forms can be submitted to

Recommendations

Start with Content-Security-Policy-Report-Only — it logs violations without blocking
Avoid 'unsafe-inline' and 'unsafe-eval' — they weaken XSS protection
Use nonce or hash for inline scripts: script-src 'nonce-abc123'

Strict-Transport-Security (HSTS)

HSTS forces the browser to use only SSL/TLS проверку for your domain. Even if a user types http://, the browser automatically switches to HTTPS without making an HTTP request.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age — duration in seconds (recommended 1 year = 31536000)
includeSubDomains — applies to all subdomains
preload — adds to browser HSTS preload lists

Caution: after enabling preload, rollback can take months. Start with a short max-age.

X-Frame-Options

Protects against clickjacking — an attack where your site is embedded in an invisible iframe on a malicious page.

X-Frame-Options: DENY

DENY — prohibit iframe embedding everywhere
SAMEORIGIN — allow embedding only from the same domain

Modern replacement: CSP frame-ancestors, but X-Frame-Options remains for compatibility.

X-Content-Type-Options

Prevents the browser from guessing MIME types (MIME sniffing). Without this header, a browser may interpret an uploaded file as HTML/JavaScript even if the server sent it as text.

X-Content-Type-Options: nosniff

Always set this. There's no reason not to.

Referrer-Policy

Controls what referrer information is shared during navigation:

Referrer-Policy: strict-origin-when-cross-origin

no-referrer — never send referrer
same-origin — only for same-domain requests
strict-origin-when-cross-origin — full URL for same-origin, origin only for cross-origin, nothing for HTTPS→HTTP

Permissions-Policy

Controls access to browser API документацию: camera, microphone, geolocation, autoplay, and more. Replaces the deprecated Feature-Policy.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)

Empty parentheses () completely disable a feature. (self) allows it only for your domain.

Cross-Origin Headers

Cross-Origin-Opener-Policy (COOP)

Cross-Origin-Opener-Policy: same-origin

Isolates the window context. Prevents attacks via window.opener from cross-site windows.

Cross-Origin-Resource-Policy (CORP)

Cross-Origin-Resource-Policy: same-origin

Prevents other sites from loading your resources (protection against hot-linking and data leaks).

Cross-Origin-Embedder-Policy (COEP)

Cross-Origin-Embedder-Policy: require-corp

All loaded resources must explicitly allow cross-site usage. Required for SharedArrayBuffer and high-precision timers.

Full nginx Configuration Example

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'none'" always;

Checking Headers

Use the Enterno.io Security Scanner for a complete security header check. Also verify through the HTTP Checker — it shows all response headers from your server.

Summary

Security headers are the mandatory minimum protection for any website. Start with HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy — they're simple and safe. Then add CSP, starting in Report-Only mode. Permissions-Policy and Cross-Origin headers provide advanced protection.

Check your website right now

Check now →