Security Headers Are Your First Line of Defense
Security headers are your API's first line of defense. As of February 2026, proper header configuration can block most common attacks before they reach your application logic.
1. Strict-Transport-Security (HSTS)
Forces HTTPS connections. Without this, attackers can intercept traffic on insecure networks.
// Express example
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
next();
});
Best practice: Set max-age to at least 1 year (31536000 seconds).
2. Content-Security-Policy (CSP)
Controls which resources can be loaded. Prevents XSS by blocking inline scripts.
res.setHeader('Content-Security-Policy',
"default-src 'self'; script-src 'self' https://trusted.cdn.com");
3. X-Content-Type-Options
Stops browsers from MIME-sniffing responses. Prevents execution of malicious files.
res.setHeader('X-Content-Type-Options', 'nosniff');
4. X-Frame-Options
Protects against clickjacking by controlling iframe embedding.
res.setHeader('X-Frame-Options', 'DENY'); // or 'SAMEORIGIN'
5. Access-Control-Allow-Origin (CORS)
Controls which domains can access your API. Be specific—never use * in production.
res.setHeader('Access-Control-Allow-Origin', 'https://yourapp.com');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
Quick Win: Use Helmet
Instead of setting headers manually, use the helmet package:
npm install helmet
import helmet from 'helmet';
app.use(helmet());
Helmet sets 11 security headers automatically, including all five above.
Test Your Headers
Check your API at securityheaders.com or use curl:
curl -I https://your-api.com
Look for the headers in the response. If they're missing, add them today.
Top comments (0)