This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

HTTP Security Headers Checklist

Why Security Headers Matter

HTTP security headers are the first line of defense for any web application. They tell the browser how to behave when rendering your content, preventing a wide range of attacks including cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks. Many of these headers are easy to implement yet remain missing on the majority of production websites.

Essential Headers

Strict-Transport-Security

Forces all communication to use HTTPS, preventing man-in-the-middle attacks and protocol downgrades.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Set max-age to at least 1 year (31536000 seconds) once you are confident HTTPS is stable. includeSubDomains extends protection to all subdomains. preload allows your domain to be included in browser preload lists.

Content-Security-Policy

The most powerful defense against XSS attacks. CSP restricts which resources the browser can load and execute.

Content-Security-Policy: default-src 'self';

script-src 'self' https://analytics.example.com;

style-src 'self' 'unsafe-inline';

img-src 'self' data: https:;

font-src 'self' https://fonts.gstatic.com;

connect-src 'self' https://api.example.com;

frame-ancestors 'none';

form-action 'self'

Start with a report-only policy to identify violations before enforcing:

Content-Security-Policy-Report-Only: default-src 'self';

report-uri /csp-violations

X-Content-Type-Options

Prevents browsers from MIME-type sniffing, which can be used to bypass content type checks.

X-Content-Type-Options: nosniff

X-Frame-Options

Prevents clickjacking by controlling whether your page can be embedded in a frame.

X-Frame-Options: DENY

Use DENY to block all framing, or SAMEORIGIN to allow framing on pages sharing the same origin.

Referrer-Policy

Controls how much referrer information is included with requests.

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL as referrer for same-origin requests, only the origin for cross-origin requests, and nothing when navigating from HTTPS to HTTP.

Recommended Headers

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.