Why Security Headers Matter
HTTP security headers tell browsers how to behave when handling your site's content. They're your first line of defense against XSS, clickjacking, MIME sniffing, and man-in-the-middle attacks. And they're completely free to implement.
Essential Headers
1. Content-Security-Policy (CSP)
Controls which resources (scripts, styles, images) the browser is allowed to load. Prevents XSS by blocking inline scripts and unauthorized external sources.
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
2. Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for all future requests. Prevents SSL stripping attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
3. X-Frame-Options
Prevents your site from being embedded in iframes — the primary defense against clickjacking.
X-Frame-Options: DENY
4. X-Content-Type-Options
Stops browsers from MIME-sniffing a response away from the declared Content-Type.
X-Content-Type-Options: nosniff
5. Referrer-Policy
Controls how much referrer information is sent when navigating away from your site.
Referrer-Policy: strict-origin-when-cross-origin
6. Permissions-Policy
Controls which browser features your site can use (camera, microphone, geolocation, etc.).
Permissions-Policy: camera=(), microphone=(), geolocation=()
Quick Checklist
- CSP — Prevent XSS and data injection
- HSTS — Enforce HTTPS
- X-Frame-Options — Prevent clickjacking
- X-Content-Type-Options — Prevent MIME sniffing
- Referrer-Policy — Control referrer leakage
- Permissions-Policy — Disable unnecessary APIs
DevUtility Hub implements all of these headers. Check your own site's headers with browser DevTools → Network tab → Response Headers.