What Are HTTP Security Headers? Complete Guide

Quick Summary

Security headers are HTTP response directives that tell the browser how to handle your site's content.
They prevent attacks like XSS, clickjacking, MIME sniffing, and protocol downgrades.
Missing headers are one of the most common findings in vendor security reviews.
Key headers include CSP, HSTS, X-Frame-Options, and Referrer-Policy.

Introduction

Every time a user visits your website, your web server sends back more than just the page content. It also sends HTTP response headers, invisible instructions that tell the browser how to behave. Security headers are a specific subset of these instructions that activate built-in browser protections.

Despite being one of the easiest security measures to implement, security headers remain one of the most commonly missing protections on the web. According to industry scans, over 70% of websites are missing at least one critical security header. This guide explains what they are, why they matter, and exactly how to implement them.

Whether you are a developer configuring a new deployment, a product manager preparing for a vendor security review, or a founder getting your startup ready for enterprise customers, understanding security headers is essential. They are often the first thing a security auditor checks.

What Are Security Headers?

The Role of the Browser

HTTP security headers are directives sent by your web server to the user's browser during every response. They instruct the browser to enable built-in protections that prevent common web attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks.

Think of them as a security policy that your server sends alongside every page. Without them, browsers use permissive defaults that attackers can exploit. For example, without a Content Security Policy, a browser will happily execute any JavaScript injected into your page, even if it comes from an attacker.

Visualizing the Protection

The diagram above shows how security headers sit between your server and the user's browser, forming a protective layer. When properly configured, they instruct the browser to reject suspicious content, block unauthorized framing, and enforce encrypted connections. You can read deeper into specific specs on the authoritative OWASP Secure Headers Project guide.

Why Security Headers Matter

Security headers are not just a technical nicety, they have direct business, legal, and security implications:

1. Regulatory and Compliance Checkboxes

Compliance requirements: SOC 2, ISO 27001, and PCI-DSS frameworks all check for standard security posture including headers. Missing headers can delay or block certification.
Vendor security reviews: Enterprise procurement teams routinely scan vendor websites for missing headers before signing contracts. A poor score can lose you a deal.
GDPR compliance: The GDPR requires “appropriate technical measures” to protect personal data. Security headers are a baseline expectation.

2. Defense in Depth

Defense in depth: Application-level code can have bugs. Headers provide a browser-level safety net that catches vulnerabilities your application code might miss.
Zero-day mitigation: A strong Content Security Policy can neutralize XSS attacks even if your application code is vulnerable to injection.
User trust: Browsers point out unsecure connections. A site missing HSTS might let users downgrade to HTTP on public wifi, enabling man-in-the-middle data theft.

The Core Security Headers

While there are dozens of HTTP headers, these six form the foundation of a secure modern application.

Header	What It Prevents	Example Value
Strict-Transport-Security (HSTS)	Protocol downgrade attacks	max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP)	XSS and code injection	default-src 'self'; script-src 'self'
X-Frame-Options	Clickjacking	SAMEORIGIN
X-Content-Type-Options	MIME type sniffing	nosniff
Referrer-Policy	URL data leaks to third parties	strict-origin-when-cross-origin
Permissions-Policy	Unauthorized API access (camera, mic)	camera=(), microphone=()

Understanding Strict-Transport-Security

HSTS in Action

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This tells the browser: “For the next year, always use HTTPS for this domain and all subdomains. Never attempt an insecure HTTP connection.”

Each of these headers addresses a different attack vector. The Referrer-Policy header controls how much URL data leaks to third parties, while the Permissions-Policy header restricts which browser APIs (camera, microphone, geolocation) can be accessed by embedded content. You can explore the MDN Web Docs HTTP Headers reference for deep technical details on edge cases.

CSP Can Break Things

A strict Content Security Policy will block inline scripts and third-party resources by default. Always start with Content-Security-Policy-Report-Only to observe what would break before enforcing.

Check which security headers your website is missing right now.

Run Free Headers Check

Real-World Examples

Missing security headers have contributed to some of the most high-profile breaches and fines in recent years:

Major Incidents

Incident	Missing Header	Impact
British Airways (2018)	CSP	Magecart attack stole 380,000 payment cards → £183M fine
Ticketmaster (2018)	CSP + SRI	Compromised third-party widget injected skimmer code
Multiple healthcare sites	HSTS	Downgrade attacks exposed patient data over HTTP
EU cookie consent violations	Referrer-Policy	URL tokens leaked to third-party analytics → GDPR fines

The British Airways Case

Attackers injected a malicious script into the BA checkout page because there was no Content Security Policy to restrict which scripts could execute. The script silently copied payment card details to an attacker-controlled server for 15 days, resulting in immense financial and reputational damage.

How to Detect Missing Headers

There are several ways to check whether your website has the right security headers in place:

Use a comprehensive scanner: Enter any URL in the Security Headers Checker to get an instant analysis showing which headers are present, missing, and their configured values.
Browser DevTools: Open DevTools → Network tab → click any request → view Response Headers. Look for HSTS, CSP, X-Frame-Options, and Referrer-Policy.
Command Line Interface: Use `curl` to directly inspect headers from your terminal.

curl Check

curl -I https://yoursite.com | grep -i "strict\\|content-security\\|x-frame\\|referrer"

For a full privacy audit that also checks cookies and trackers, PII exposure, and GDPR signals, use the homepage scanner.

How to Fix Missing Headers

Headers are configured at the web server or CDN level. Here's where to add them based on your stack:

Configuration Locations

Platform	Configuration Location
Nginx	server block in nginx.conf
Apache	.htaccess or httpd.conf
Cloudflare	Transform Rules → HTTP Response Headers
Vercel	vercel.json headers array
Next.js	next.config.js headers() function
AWS CloudFront	Response Headers Policy

Web Server Snippets

Nginx Configuration Example

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Next.js next.config.ts Example

module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'Strict-Transport-Security',
            value: 'max-age=63072000; includeSubDomains; preload',
          },
        ],
      },
    ];
  },
};

Use the CSP Generator to build a Content Security Policy interactively without writing raw header strings.

Best Practices

Start with HSTS and X-Content-Type-Options, these are safe to deploy immediately with minimal risk of breaking anything.
Deploy CSP in Report-Only mode first, use Content-Security-Policy-Report-Only to log violations without blocking content.
Set Referrer-Policy to strict-origin-when-cross-origin, this prevents URL data leaks while preserving internal analytics.
Disable unused browser APIs, use Permissions-Policy to block camera, microphone, and geolocation access for third-party widgets.
Add the “always” directive in Nginx, without it, error pages (404, 500) won't include security headers.
Automate monitoring, headers can be accidentally removed during deployments. Set up automated checks to catch regressions.
Review headers quarterly, every time you add new third-party scripts or change hosting, re-validate your headers.

Common Mistakes

Configuration Pitfalls

Setting headers only on the homepage: Security headers must be present on every response, including API endpoints, error pages, and asset requests.
Using unsafe-inline in CSP: This defeats the entire purpose of CSP. Use nonces or hashes to whitelist specific inline scripts instead.
Forgetting subdomains in HSTS: Without includeSubDomains, attackers can exploit insecure subdomains to attack users.
Setting X-Frame-Options to ALLOW-FROM: This value is deprecated and not supported by modern browsers. Use CSP's frame-ancestors directive instead.
Not testing after deployment: Configuration changes can silently drop headers. Always verify with the Security Headers Checker after every deployment.

Header Conflict

If both your CDN and web server set the same header with different values, browsers may receive duplicate or conflicting instructions. Audit your full response chain to ensure consistency.

Conclusion

Security headers are one of the highest-impact, lowest-effort security improvements you can make. They take minutes to configure, cost nothing, and protect your users against entire categories of attacks. They are also one of the first things checked during vendor security reviews and compliance audits.

Start by checking your current headers, then implement the fixes described above. Use Report-Only mode for CSP, and monitor your headers continuously to catch regressions.

Scan Your Website

Scan your website with SitePrivacyScore to detect missing security headers automatically. Our free scanner checks all critical headers and provides fix instructions for your specific stack.

Frequently Asked Questions

Are security headers required by GDPR?+

While not explicitly named, the GDPR requires 'appropriate technical measures' to ensure data security. Security headers are considered an industry-standard technical measure that auditors and regulators expect to see.

Can security headers break my website?+

Yes. Strict headers like CSP or HSTS can break functionality if implemented incorrectly. Start with Report-Only mode and test thoroughly before enforcing.

How do I check my security headers?+

Use the free Security Headers Checker tool on SitePrivacyScore. Enter your URL and get an instant analysis of all present and missing headers.

Does Cloudflare add security headers automatically?+

Cloudflare adds some headers by default, but most require manual configuration through Page Rules or Transform Rules. Always verify with a scanner.

Which security header is most important?+

Content-Security-Policy (CSP) is widely considered the most impactful because it directly prevents XSS attacks. However, HSTS is equally critical for preventing downgrade attacks.

Do security headers affect SEO or page speed?+

No. Security headers add negligible bytes to the HTTP response and have zero impact on page rendering speed. They can indirectly improve SEO because Google considers HTTPS and security to be ranking factors.

How often should I review my security headers?+

Review them quarterly, or whenever you add new third-party scripts, change hosting providers, or modify your CDN configuration. Automated monitoring is ideal.

Audit Your Website's Security Headers

Missing headers are the #1 finding in vendor security reviews. Scan your site to see exactly what's missing and get fix instructions.

Run Full Privacy Audit Browse All Free Tools

For deeper runtime checks, run the full privacy audit →