HTTP Headers Check
Inspect the HTTP response headers returned by any web server. Check whether critical security headers like Content-Security-Policy, HSTS, and X-Frame-Options are present. Missing security headers can expose sites to XSS, clickjacking, and data-injection attacks.
Security Headers Explained
Security headers are HTTP response headers that instruct browsers how to handle your site's content. They provide a low-effort, high-impact layer of defense against common web attacks.
| Header | Protects Against | Recommended Value | Priority |
|---|---|---|---|
Content-Security-Policy |
Cross-site scripting (XSS), data injection, code injection | default-src 'self' |
Critical |
Strict-Transport-Security |
Protocol downgrade attacks, SSL stripping, MITM | max-age=31536000; includeSubDomains |
Critical |
X-Frame-Options |
Clickjacking attacks (embedding in iframes) | DENY or SAMEORIGIN |
High |
X-Content-Type-Options |
MIME-type confusion attacks | nosniff |
High |
Referrer-Policy |
Leaking sensitive URL paths to third-party sites | strict-origin-when-cross-origin |
Medium |
Permissions-Policy |
Unauthorized use of browser APIs (camera, location, etc.) | geolocation=(), microphone=() |
Medium |
X-XSS-Protection |
XSS in older browsers (IE/Edge legacy) | 1; mode=block |
Low |
Cache-Control |
Sensitive data cached in shared proxies or browser | no-store for private pages |
Medium |
Quick Implementation Guide
- Add security headers in your web server config (nginx, Apache) or application middleware.
- For nginx: use the add_header directive in your server block.
- For Apache: use Header set in .htaccess or httpd.conf.
- For Flask/Django/Express: use a middleware library like flask-talisman or helmet.js.
- Test after each change using this tool or securityheaders.com.
- Start with X-Content-Type-Options and X-Frame-Options - Zero breaking changes.
- Use CSP in report-only mode first to collect violations before enforcing.