Security Headers: Strengthen Site Safety and Technical Quality
Security headers guide browser behavior to reduce common attack surfaces.
Key Headers to Review
Content-Security-PolicyStrict-Transport-SecurityX-Content-Type-OptionsReferrer-PolicyPermissions-Policy
What Each Header Does
Content-Security-Policy (CSP)
Controls which sources are allowed to load scripts, styles, images, fonts, and other resources. A strong CSP reduces XSS risk by blocking unexpected script execution.
Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for future requests to your domain for a defined period. This helps prevent protocol downgrade and cookie leakage over HTTP.
X-Content-Type-Options
Usually set to nosniff. It prevents MIME-type sniffing so browsers do not interpret files as a different type than declared, reducing certain injection vectors.
Referrer-Policy
Controls how much referrer information is sent with outbound requests. This helps limit leakage of sensitive URL details while preserving useful analytics context.
Permissions-Policy
Restricts access to powerful browser features (for example camera, microphone, geolocation) by default or per-origin. This reduces unnecessary capability exposure.
Why It Matters
Strong headers improve resilience and user trust. Weak defaults can expose unnecessary risk.
Quick Check
curl -I https://example.com
Verify critical headers are present and sensible.
Final Takeaway
Security headers are part of launch readiness, not optional hardening.