Core Security Headers Overview

1 min read Web Security Fundamentals

Core Security Headers Overview

Modern web applications should implement several essential security headers, each addressing specific vulnerability classes:

Content-Security-Policy (CSP): Controls which resources can be loaded and executed, providing comprehensive protection against XSS and data injection attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'

Strict-Transport-Security (HSTS): Forces browsers to use HTTPS connections, preventing protocol downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Frame-Options: Prevents clickjacking attacks by controlling whether your site can be embedded in frames.

X-Frame-Options: DENY

X-Content-Type-Options: Prevents MIME type sniffing, ensuring browsers respect the declared content type.

X-Content-Type-Options: nosniff

Referrer-Policy: Controls how much referrer information is shared when navigating from your site.

Referrer-Policy: strict-origin-when-cross-origin