Security headers are HTTP response headers that instruct browsers to enable (or disable) security features. They're your first line of defense against XSS attacks, clickjacking, data injection, and MIME sniffing. Most websites are missing critical security headers — leaving their visitors vulnerable.
The 5 Essential Security Headers
1. Content-Security-Policy (CSP)
CSP prevents Cross-Site Scripting (XSS) by specifying which sources of content are allowed to load on your page. It's the most powerful — and most complex — security header.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.comKey directives:
default-src: Fallback for all resource typesscript-src: Where JavaScript can load fromstyle-src: Where CSS can load fromimg-src: Where images can load fromconnect-src: Where fetch/XHR requests can goframe-ancestors: Who can embed your site (replaces X-Frame-Options)
2. Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS, preventing downgrade attacks and cookie hijacking.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadmax-age=31536000: Remember for 1 yearincludeSubDomains: Apply to all subdomainspreload: Submit to browser preload lists for maximum protection
3. X-Frame-Options
Prevents your site from being embedded in iframes, protecting against clickjacking attacks.
X-Frame-Options: DENYOptions: DENY (never allow), SAMEORIGIN (only same domain), or use CSP's frame-ancestors for more control.
4. X-Content-Type-Options
Prevents browsers from MIME-sniffing — guessing the content type and potentially executing malicious files.
X-Content-Type-Options: nosniffThis is a one-liner with no configuration needed. Always include it.
5. Referrer-Policy
Controls what information is sent in the Referer header when navigating away from your site.
Referrer-Policy: strict-origin-when-cross-originThis sends the origin (domain) for cross-origin requests but the full URL for same-origin requests — a good balance of functionality and privacy.
Additional Recommended Headers
| Header | Value | Purpose |
|---|---|---|
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Disable unused browser APIs |
| X-XSS-Protection | 0 | Disable legacy XSS filter (CSP is better) |
| Cross-Origin-Embedder-Policy | require-corp | Prevent cross-origin resource loading |
| Cross-Origin-Opener-Policy | same-origin | Isolate browsing context |
Implementation by Platform
Next.js / Vercel
Add headers in next.config.js:
// next.config.js
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
],
}];
}Nginx
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;Apache (.htaccess)
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Security Grade
PrivacyChecker analyzes your security headers and grades your implementation. Most websites score D or F on their first scan. Implementing the 5 essential headers takes under 5 minutes and immediately improves your security posture. Our Pro plans provide specific implementation instructions for your platform.