What Are HTTP Security Headers?
HTTP security headers are directives sent by the server to the browser that tell it how to behave when rendering your website. Think of them as your website's immune system — they prevent the browser from executing malicious actions.
Yet according to recent scans, over 78% of websites are missing at least one critical security header. Here are the 5 you absolutely need:
1. Strict-Transport-Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
This tells the browser to ALWAYS use HTTPS — no exceptions. Even if a user types http:// manually, the browser rewrites it to HTTPS.
Impact: Prevents SSL-strip attacks where an attacker downgrades your HTTPS connection to HTTP on a public WiFi network.
2. Content-Security-Policy (CSP)
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
CSP is your most powerful defense against XSS (Cross-Site Scripting). It tells the browser exactly which sources of content are trusted. Any script from an untrusted domain gets blocked.
Impact: Even if an attacker injects a <script> tag into your page, the browser refuses to execute it.
3. X-Frame-Options
X-Frame-Options: SAMEORIGIN
Prevents your site from being embedded in an <iframe> on other domains.
Impact: Stops clickjacking attacks where an attacker overlays transparent buttons on top of your site in an invisible iframe.
4. X-Content-Type-Options
X-Content-Type-Options: nosniff
Prevents browsers from MIME-sniffing — guessing the content type of a response.
Impact: If you serve script.js with text/plain, the browser won't execute it because you explicitly told it not to sniff.
5. Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Controls how much referrer information is sent when users click links to other sites.
Impact: Prevents leaking sensitive URL parameters (like session tokens in query strings) to third-party sites.
How to Check Your Site
You can check all of these headers (plus 20+ other security checks) instantly with a free online scanner:
🔍 WebSec Scanner Pro → http://sec.92888888.xyz/scan?url=https://your-site.com
It checks:
- ✅ All 7 critical security headers (HSTS, CSP, XFO, XCTO, XSS-Protection, Referrer-Policy, Permissions-Policy)
- ✅ Open ports analysis
- ✅ Risk score calculation
- ✅ Actionable fix recommendations
No registration, no email required. Just paste your URL and get a full report in seconds.
For production environments, I also offer professional security audits starting at $49 — covering manual code review, OWASP Top 10 testing, and configuration hardening. Contact me at jhonwind2023@gmail.com for details.
Stay safe out there.
Top comments (0)