Security 2024-02-01

Complete Guide to Security Headers for Websites

Discover all essential HTTP security headers and how to implement them to protect your website from common vulnerabilities.

G
GrantArchive Team

Introduction to Security Headers

Security headers are HTTP response headers that tell browsers how to behave when handling your website's content. They form a critical defense layer against common attacks like cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks. Implementing proper security headers is one of the most effective and often overlooked aspects of website security.

Why Security Headers Matter

Without proper security headers, your website is vulnerable to various attacks. Studies show that 95% of websites have at least one security header missing. Attackers actively scan for sites with missing headers, making implementation a critical security practice.

Essential Security Headers

1. Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources can be loaded on your page:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline';

Best practices:

  • Start restrictive, then relax as needed
  • Use nonces for inline scripts
  • Report violations to monitor issues
  • Test thoroughly before deployment

2. X-Frame-Options

Prevents your site from being embedded in iframes, protecting against clickjacking:

X-Frame-Options: DENY

Options:

  • DENY: No embedding allowed
  • SAMEORIGIN: Only same-site embedding allowed

3. X-Content-Type-Options

Prevents MIME-type sniffing:

X-Content-Type-Options: nosniff

This ensures browsers respect your declared content types, preventing attacks that exploit MIME confusion.

4. Strict-Transport-Security (HSTS)

Forces browsers to only connect via HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Benefits:

  • Prevents protocol downgrade attacks
  • Protects cookie theft
  • Improves SEO (HTTPS ranking boost)

5. Referrer-Policy

Controls how much referrer information is sent:

Referrer-Policy: strict-origin-when-cross-origin

Options range from no-referrer (most private) to unsafe-url (least private).

6. Permissions-Policy

Controls which browser features can be used:

Permissions-Policy: geolocation=(), microphone=(), camera=()

Disable features you don't use to reduce attack surface.

Additional Security Headers

Cross-Origin-Opener-Policy (COOP)

Isolates your browsing context:

Cross-Origin-Opener-Policy: same-origin

Cross-Origin-Resource-Policy (CORP)

Prevents cross-origin loading of resources:

Cross-Origin-Resource-Policy: same-origin

Cross-Origin-Embedder-Policy (COEP)

Controls cross-origin loading:

Cross-Origin-Embedder-Policy: require-corp

Implementation Guide

Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

PHP

header('X-Frame-Options: SAMEORIGIN');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

Testing Your Headers

Use these tools to verify your security headers:

  • Security Headers (securityheaders.com)
  • SSL Labs SSL Test
  • Chrome DevTools Security panel
  • Mozilla Observatory

Conclusion

Implementing security headers is a fundamental step in securing your website. Start with the essential headers and progressively add more advanced ones as you test and verify functionality. Regular audits ensure your security posture remains strong.

security headers https headers web security ssl tls
← Back to Blog