Crawlsonar
Security

HTTP security headers

Also known as: CSP, Content-Security-Policy, X-Frame-Options

Small instructions your server sends with every page that tell the browser to switch on built-in protections against common attacks.

In plain English

Browsers have safety features built in, but many are off by default. Security headers are the switches that turn them on: force HTTPS, stop other sites from framing yours to trick clicks, stop the browser from mis-guessing file types, and restrict which scripts are allowed to run.

They're free, they're a one-line change at your server or CDN, and they're one of the highest-value, lowest-effort things you can do for safety and trust.

How to fix / set it up

  1. Generate a hardened set with our Security Headers Generator.
  2. Add them at your web server, CDN or framework config.
  3. Deploy CSP in report-only mode first, fix what it flags, then enforce; verify with the HTTP Header Checker.

Security Headers GeneratorHTTP Header Checker

The technical detail

The key ones: Strict-Transport-Security (HSTS), Content-Security-Policy (the strongest defence against cross-site scripting), X-Frame-Options/frame-ancestors (clickjacking), X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.

Roll out CSP with Content-Security-Policy-Report-Only first to find what it would block, then switch to enforcing.

FAQ

Which header matters most?

A Content-Security-Policy gives the biggest security win, but it needs care; HSTS and nosniff are the easiest quick wins.

Will they slow my site down?

No — they're tiny text headers with no performance cost.

Related

← All topics in the knowledge base