Back to articles
Web Security
Updated Jun 2, 2026

A Developer's Guide to HTTP Security Headers

You've built a great web application, but in today's world, shipping features is only half the battle. The other half is security. Many common web attacks, like cross-site scripting (XSS) and clickjacking, can be stopped in their tracks with a simple, yet often overlooked, tool: HTTP security headers.

Think of security headers as a set of rules you give the browser when it loads your site. They tell the browser what it is and isn't allowed to do, effectively creating a powerful, first-line defense against attackers. The best part? Implementing the most critical ones can take less than an hour and provides immediate protection.

This guide cuts through the noise. We'll show you which headers provide the biggest security wins, how to implement them correctly, and how to avoid common mistakes that leave you vulnerable.

Table of Contents

Why Security Headers Matter

Without security headers, browsers run on a default trust model that's easy to abuse. By default a browser will happily execute a script from any origin, or let your site be embedded inside an invisible <iframe> on someone else's domain. That's a lot of trust to extend to the open web.

Headers flip that posture from "trust by default" to "distrust by default." A solid header config blocks the four classes of attacks that show up over and over in real bug reports. Cross-site scripting (XSS) is the big one: an attacker gets malicious code running in your users' browsers, then walks off with session cookies or credentials. Clickjacking is the second; an attacker frames your site under an invisible overlay so a user thinks they're clicking a harmless button but are actually deleting their account. Protocol downgrade attacks force a browser off HTTPS and back onto plain HTTP so the attacker can sit on the wire and read traffic. And then there's plain information leakage, where things like password-reset tokens or internal paths leak out through Referer headers to third parties.

By setting the right headers, you instruct the browser to block these behaviors before they can cause harm.

The Must-Have Security Headers

There are a lot of security headers out there, but a small handful does most of the work. If you're starting from zero, ship these five first.

1. Content-Security-Policy (CSP)

CSP is the heavy hitter. It gives you fine-grained control over which scripts, stylesheets, images, fonts, and other resources the browser is allowed to load on your pages, and it's your strongest line of defense against XSS. The model is a whitelist: you tell the browser which origins you trust, and anything outside that list is dropped on the floor, including code an attacker manages to inject into your HTML.

A minimal policy looks like this:

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com;

That tells the browser to load everything from your own origin by default, and to only run scripts from your origin or from https://apis.google.com.

2. HTTP Strict-Transport-Security (HSTS)

HSTS tells the browser to only ever talk to your server over HTTPS. Once it has seen the header, it refuses plain HTTP for the duration of max-age and silently upgrades any http:// request to https://. That kills protocol downgrade attacks and most cookie-hijacking tricks that rely on intercepting a single insecure request.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The directives are straightforward: max-age=31536000 enforces the rule for a year, includeSubDomains extends it to every subdomain, and preload lets you submit your domain to the browser-baked preload list so users are protected even on their very first visit.

3. X-Frame-Options

This one decides whether your site is allowed to be rendered inside a <frame>, <iframe>, <embed>, or <object> on another page. It's the classic clickjacking defense: if attackers can't frame your site, they can't trick users into clicking your buttons through their overlay.

X-Frame-Options: DENY

DENY blocks framing entirely. SAMEORIGIN allows it, but only for pages on your own domain. Worth noting: the frame-ancestors directive in CSP is the modern replacement and is more flexible, but X-Frame-Options is still useful for older browsers and as belt-and-suspenders.

4. X-Content-Type-Options

A one-liner header that does one thing well: it forces the browser to respect the Content-Type your server sent and skip its own MIME-sniffing heuristics. Without it, a browser might decide a file you served as an image is actually a script and execute it, which is exactly the kind of confusion attackers like.

X-Content-Type-Options: nosniff

nosniff is the only value this header takes. There's nothing else to configure.

5. Referrer-Policy

This header controls how much of the previous URL is sent along in the Referer header on outbound requests. That matters for privacy, and it matters for security when sensitive data lives in URLs. Picture a user clicking an external link from https://yoursite.com/reset?token=abc123. You really don't want that token leaving in a Referer.

Referrer-Policy: strict-origin-when-cross-origin

The popular default sends the full URL on same-origin requests but strips it down to just the origin (no path, no query string) for cross-origin requests. That's a reasonable balance between analytics utility and not leaking your reset tokens.

Advanced Security Headers

Once the basics are in place, a few more headers help you lock things down further. Permissions-Policy lets you switch off browser features like camera, microphone, and geolocation for your origin, which shrinks the attack surface by removing capabilities you don't actually use. Cross-Origin-Opener-Policy (COOP) isolates your browsing context from pop-ups, which closes off window.opener-style attacks where a malicious popup reaches back into the page that opened it. Cross-Origin-Embedder-Policy (COEP) pairs with COOP to put your app in a cross-origin isolated state, which is a prerequisite if you want to use powerful APIs like SharedArrayBuffer or high-resolution timers.

How to Implement Security Headers

You can set security headers at any layer of your stack. Pick whichever fits your deployment best; the headers themselves are the same.

Web Server Configuration (Nginx)

# In your server block for example.com
server {
    listen 443 ssl;
    server_name example.com;

    # Add all your headers here
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=()" always;
}

Web Server Configuration (Apache)

# In your VirtualHost configuration or .htaccess file
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=()"
</IfModule>

Application-Level (Node.js with Helmet)

For an Express app, the helmet package is the path of least resistance. A bare app.use(helmet()) sets sane defaults for eleven headers, and you can override any of them individually if your CSP needs more nuance.

const express = require("express")
const helmet = require("helmet")
const app = express()

app.use(helmet()) // Sets sensible defaults for 11 headers

// You can also configure them individually
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "trusted-scripts.com"],
    },
  })
)

app.listen(3000)

Application-Level (Python/Django)

Django handles the basics through settings.py:

# Essential security headers
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_REFERRER_POLICY = 'strict-origin-when-cross-origin'

Frontend Frameworks (Next.js)

In Next.js you can declare headers in next.config.mjs and have the framework apply them to every route.

// next.config.mjs
const securityHeaders = [
  {
    key: "Strict-Transport-Security",
    value: "max-age=31536000; includeSubDomains; preload",
  },
  {
    key: "X-Frame-Options",
    value: "DENY",
  },
  {
    key: "X-Content-Type-Options",
    value: "nosniff",
  },
  {
    key: "Referrer-Policy",
    value: "strict-origin-when-cross-origin",
  },
]

export default {
  async headers() {
    return [
      {
        source: "/:path*",
        headers: securityHeaders,
      },
    ]
  },
}

Verification

Once you've shipped the config, confirm the headers actually made it into responses.

From the command line, a single curl is enough to spot the basics:

curl -I https://example.com | grep -i "strict-transport-security\|x-frame-options\|x-content-type-options"

In the browser, open DevTools with F12, switch to the Network tab, reload the page, click the main document request, and scroll to the Response Headers section. Whatever you set in your server config should be sitting there verbatim.

For a more thorough check, two online tools cover the gap:

Testing and Validating Your Headers

Shipping the config is only step one. You still need to verify the browser is actually seeing what you think it's seeing, because reverse proxies, CDNs, and middleware all love to rewrite or strip headers behind your back.

For a quick local check, open your browser's dev tools, go to the Network tab, reload the page, and read the response headers on the main document request. From a terminal, curl -I https://your-site.com does the same job and is easy to script into a smoke test.

For continuous coverage, you'll want something that actually watches over time. Barrion.io monitors your headers continuously and alerts you the moment one disappears or drifts out of policy, so you don't find out from a customer that a deploy stripped your CSP. Mozilla Observatory is a good one-off snapshot if you want a quick overall grade, and Google's CSP Evaluator is the easiest way to find logic bugs in a Content Security Policy before they bite you in production.

Common Pitfalls & Solutions

CSP is the one header that genuinely deserves a slow rollout. Get it wrong and you'll block your own scripts, styles, or analytics in production. The safest path is to ship a report-only policy first, watch the violations for a week or two, then promote to enforcement once the report is quiet:

# Phase 1: Report-only (doesn't break anything)
add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-report;" always;

# Phase 2: After reviewing reports, enable enforcement
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none';" always;

Resist the urge to skip phase one. Even a small app pulls in more third-party origins than you'd guess (fonts, analytics, embedded videos, a CDN you forgot about), and the report-only run is what surfaces them before users see broken pages.

The second classic is HSTS breaking your local dev setup. You enabled it with a year-long max-age (and maybe preload), and now your browser flat-out refuses to load http://localhost for the next twelve months. Keep max-age short in non-production environments, something like max-age=3600 is plenty for testing, and save preload for production hostnames you genuinely want pinned forever.

There's also a specific Nginx gotcha worth knowing about: without always, add_header only fires on 200, 201, 204, 206, 301, 302, 303, 304, 307, and 308 responses. Every error code (and most redirects you forgot about) ships with no headers at all. Adding always fixes it.

Conclusion

HTTP security headers are a small amount of config that pays back a disproportionate amount of safety. They're a real part of defense in depth, not just a checklist item, and they shut down a long list of common attacks before your application code even gets involved. Start with the five must-haves, layer in the advanced ones once you're comfortable, and keep an eye on them after every deploy.

Ready to take control of your security headers? Use the Barrion dashboard to continuously monitor your implementation, get notified of issues, and ensure your site remains secure over time.

Frequently asked questions

Q: Which security headers matter most to start with?

A: Begin with HSTS, CSP (with Report-Only first), X-Content-Type-Options, and Referrer-Policy. Add Permissions-Policy as you harden features.

Q: Should I use X-Frame-Options or CSP frame-ancestors?

A: Prefer frame-ancestors in CSP. It replaces X-Frame-Options and provides more control.

Related reading

Secure your apps before
someone else finds the gaps.

Trusted by dev teams and agencies for security monitoring and audit-ready reports.

Get started freeContact sales