DEV Community

1xApi
1xApi

Posted on • Originally published at 1xapi.com

5 API Security Headers You Should Use in 2026

#node #webdev #api #security

5 API Security Headers You Should Use in 2026

Your API might be fast, scalable, and perfectly documented — but if you are missing these security headers, you are leaving clients exposed.

As of February 2026, these five headers are essential for any production API:

1. Strict-Transport-Security (HSTS)

Forces HTTPS connections. Simple, effective, non-negotiable.

\javascript
// Express.js
app.use((req, res, next) => {
res.setHeader(
"Strict-Transport-Security",
"max-age=31536000; includeSubDomains"
);
next();
});
\\

What it prevents: Downgrade attacks, cookie hijacking.

2. Content-Security-Policy (CSP)

Controls which resources can load. Critical for APIs serving HTML.

\javascript
res.setHeader(
"Content-Security-Policy",
"default-src self; script-src self https://trusted.cdn.com"
);
\\

What it prevents: XSS, data injection attacks.

3. X-Content-Type-Options

Stops browsers from sniffing MIME types. Forces them to respect your Content-Type.

\javascript
res.setHeader("X-Content-Type-Options", "nosniff");
\\

What it prevents: MIME-type sniffing attacks.

4. X-Frame-Options

Controls whether your API responses can be embedded in frames.

\javascript
res.setHeader("X-Frame-Options", "DENY");
// or for allowing specific domains:
res.setHeader("X-Frame-Options", "ALLOW-FROM https://yourapp.com");
\\

What it prevents: Clickjacking attacks.

5. Permissions-Policy

Controls browser features your API can access. The 2026 standard.

\javascript
res.setHeader(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=()"
);
\\

What it prevents: Unwanted feature access, privacy leaks.

Quick Win: Set All at Once

\`javascript
const securityHeaders = {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"Content-Security-Policy": "default-src self",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"Permissions-Policy": "camera=(), microphone=()"
};

app.use((req, res, next) => {
Object.entries(securityHeaders).forEach(([key, value]) => {
res.setHeader(key, value);
});
next();
});
`\

These headers take 30 seconds to add and could prevent a serious breach. No excuse.

Top comments (0)