HTTP Security Headers Explained: The Complete Guide
By Nathan Cole, Security Researcher · Updated 2026-06-02HTTP security headers are response headers your server sends that instruct the browser to behave more defensively. They decide which scripts a page may run, whether other sites can frame it, whether the connection must use HTTPS, and how much referrer data leaks. They are among the cheapest security wins available, since most are a single line of server configuration.
None of them encrypt anything; that job belongs to the TLS certificate. Instead, headers harden the browser side of the connection against common web attacks. You can see exactly which headers any site sends, and how it scores, with our security headers tool.
The headers that matter
| Header | Defends against | Guide |
|---|---|---|
| Content-Security-Policy | Cross-site scripting (XSS), injection | CSP explained |
| Strict-Transport-Security | Protocol downgrade, SSL stripping | HSTS explained |
| X-Frame-Options | Clickjacking | X-Frame-Options |
| X-Content-Type-Options | MIME sniffing | X-Content-Type-Options |
| Referrer-Policy | Referrer data leakage | Referrer-Policy |
| Permissions-Policy | Unwanted access to camera, mic, geolocation | Permissions-Policy |
Content-Security-Policy
CSP is the most powerful header and the hardest to get right. It whitelists the sources a page may load scripts, styles, and other resources from, which neutralises most cross-site scripting. Worth the effort for any serious site. See CSP explained.
Strict-Transport-Security (HSTS)
HSTS forces browsers to use HTTPS for your domain, closing the window where a first plain-HTTP request can be intercepted and downgraded. See HSTS explained.
The supporting cast
X-Content-Type-Options: nosniff stops the browser from second-guessing content types (guide). X-Frame-Options (or CSP frame-ancestors) blocks clickjacking (guide). Referrer-Policy controls how much URL data is sent to other sites (guide). Permissions-Policy restricts powerful browser features like camera and geolocation (guide).
Do not overlook how cookies are set either: the HttpOnly, Secure, and SameSite attributes are a security control of their own, covered in cookie security attributes.
How to check and score a site
You do not need to read raw headers by hand. Our security headers tool fetches a site's response headers and grades them with specific recommendations. For the manual methods (browser dev tools and curl), see how to check security headers.
A sensible order of adoption: add the easy, low-risk headers first (X-Content-Type-Options, X-Frame-Options, Referrer-Policy), turn on HSTS once you are confident HTTPS is solid, then take your time building a correct Content-Security-Policy in report-only mode before enforcing it.
Headers are a rare security measure that is both cheap and high impact. Audit any site with our security headers tool, or have an agent pull them through the security_headers tool in our MCP server.
Frequently asked questions
What are HTTP security headers?
HTTP security headers are response headers a web server sends that tell the browser how to behave more safely: which scripts to trust, whether to allow framing, whether to force HTTPS, and more. They are a cheap, high-impact layer of defense against attacks like cross-site scripting and clickjacking.
Which security headers are most important?
Content-Security-Policy and Strict-Transport-Security give the most protection, followed by X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy.
How do I add security headers?
You set them in your web server, application, or CDN configuration as HTTP response headers. Start in a report-only or permissive mode for the strict ones like CSP, then tighten.