11: Security Headers - HTTP Tutorials

Why Security Headers

Beyond authentication, HTTP response headers can instruct browsers to enable additional security protections. These headers are a defense-in-depth layer — they won't fix insecure code, but they make attacks harder.

Essential Security Headers

Header	Purpose	Example Value
`Strict-Transport-Security` (HSTS)	Forces HTTPS for all future requests to this domain	`max-age=31536000; includeSubDomains`
`Content-Security-Policy` (CSP)	Controls which resources (scripts, styles, images) the page can load	`default-src 'self'; script-src 'self'`
`X-Content-Type-Options`	Prevents browsers from MIME-sniffing (guessing content type)	`nosniff`
`X-Frame-Options`	Prevents the page from being embedded in an iframe (blocks clickjacking)	`DENY` or `SAMEORIGIN`
`Referrer-Policy`	Controls how much URL information is sent in the `Referer` header	`strict-origin-when-cross-origin`
`Permissions-Policy`	Controls which browser features (camera, mic, geolocation) the page can use	`camera=(), microphone=(), geolocation=()`

A Production-Ready Header Set

Here's a complete Nginx configuration that sets all six headers:

# Nginx configuration example add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;