Security Headers: Strengthen Site Safety and Technical Quality
Security headers guide browser behavior to reduce common attack surfaces.
Key Headers to Review
Content-Security-PolicyStrict-Transport-SecurityX-Content-Type-OptionsReferrer-PolicyPermissions-Policy
What Each Header Does
Content-Security-Policy (CSP)
Controls which sources are allowed to load scripts, styles, images, fonts, and other resources. A strong CSP reduces XSS risk by blocking unexpected script execution.
Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for future requests to your domain for a defined period. This helps prevent protocol downgrade and cookie leakage over HTTP.
X-Content-Type-Options
Usually set to nosniff. It prevents MIME-type sniffing so browsers do not interpret files as a different type than declared, reducing certain injection vectors.
Referrer-Policy
Controls how much referrer information is sent with outbound requests. This helps limit leakage of sensitive URL details while preserving useful analytics context.
Permissions-Policy
Restricts access to powerful browser features (for example camera, microphone, geolocation) by default or per-origin. This reduces unnecessary capability exposure.
Why It Matters
Strong headers improve resilience and user trust. Weak defaults can expose unnecessary risk.
Example Header Set
Content-Security-Policy: default-src 'self'; img-src 'self' https: data:; object-src 'none'; base-uri 'self'; frame-ancestors 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Express middleware example
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
if (req.secure) {
res.setHeader(
'Strict-Transport-Security',
'max-age=31536000; includeSubDomains'
);
}
next();
});
Quick Check
curl -I https://example.com
Verify critical headers are present and sensible.
curl -I https://example.com | rg -i "content-security-policy|strict-transport-security|x-content-type-options|referrer-policy|permissions-policy"
Final Takeaway
Security headers are part of launch readiness, not optional hardening.