Learn

Security header monitoring guide

Name: Barrion
Availability: InStock
Author: Barrion

HSTS, CSP, X-Frame-Options, and friends, what each header does and how Barrion catches the ones you are missing.

What it is

Security headers are HTTP response headers that tell the browser how to behave: HSTS enforces HTTPS, CSP restricts script and resource sources, X-Frame-Options prevents clickjacking, X-Content-Type-Options prevents MIME sniffing. Monitoring them means checking that the right headers are present and correctly configured.

Why it matters

Missing or weak security headers leave you open to XSS, clickjacking, downgrade attacks, and information leakage. Headers are a high-impact, low-effort way to harden your app. Monitoring catches drift (e.g. a deploy that drops a header) and misconfigurations.

How Barrion checks it

Barrion requests your pages and inspects the response headers. We check for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and COEP/COOP/CORP where relevant. We report missing or weak values and link to fix guides.

Configuration examples

Nginx: core security headers

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Node.js (Express) with Helmet

import helmet from 'helmet'
app.use(helmet())

Verify it

curl -sI https://example.com | grep -iE 'strict-transport-security|x-frame-options|content-security-policy'

Run this check →Fix guide

FAQ

Common questions.

Which headers do modern browsers actually enforce?

Strict-Transport-Security, Content-Security-Policy (including frame-ancestors), X-Content-Type-Options, and Referrer-Policy are honored by every current Chromium, Firefox, and Safari release. X-Frame-Options is still respected for legacy reasons, but CSP frame-ancestors overrides it where both are present, and X-XSS-Protection is now a no-op and should be removed.

Can I rely on HSTS preload to cover the first request?

Only for browsers that ship the preload list, which is Chrome, Edge, Firefox, Safari, and Opera. Submitting to hstspreload.org requires max-age of at least 31536000, includeSubDomains, and the preload token, and removal takes months, so make sure every subdomain is HTTPS-ready before applying.

Does header order matter?

No, browsers parse headers as a set rather than a sequence, so order is irrelevant. What does matter is avoiding duplicates: two Content-Security-Policy headers are intersected (the strictest wins), while two X-Frame-Options headers cause some browsers to ignore both.

Should I set headers at the edge or in the application?

Set them at whichever layer owns the response body, otherwise a static asset served by your CDN ends up without them. Edge configuration is fine for site-wide defaults like HSTS and X-Content-Type-Options, but CSP nonces have to be generated per-request alongside the HTML.