HTTP security headers
Also known as: CSP, Content-Security-Policy, X-Frame-Options
Small instructions your server sends with every page that tell the browser to switch on built-in protections against common attacks.
In plain English
Browsers have safety features built in, but many are off by default. Security headers are the switches that turn them on: force HTTPS, stop other sites from framing yours to trick clicks, stop the browser from mis-guessing file types, and restrict which scripts are allowed to run.
They're free, they're a one-line change at your server or CDN, and they're one of the highest-value, lowest-effort things you can do for safety and trust.
How to fix / set it up
- Generate a hardened set with our Security Headers Generator.
- Add them at your web server, CDN or framework config.
- Deploy CSP in report-only mode first, fix what it flags, then enforce; verify with the HTTP Header Checker.
Security Headers Generator →HTTP Header Checker →
The technical detail
The key ones: Strict-Transport-Security (HSTS), Content-Security-Policy (the strongest defence against cross-site scripting), X-Frame-Options/frame-ancestors (clickjacking), X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.
Roll out CSP with Content-Security-Policy-Report-Only first to find what it would block, then switch to enforcing.
FAQ
Which header matters most?
A Content-Security-Policy gives the biggest security win, but it needs care; HSTS and nosniff are the easiest quick wins.
Will they slow my site down?
No — they're tiny text headers with no performance cost.