DEV Community

Dev Nestio
Dev Nestio

Posted on • Originally published at devnestio.pages.dev

HTTP Security Headers Reference: 11 Headers, Risk Levels, and Code Snippets

Security response headers are one of the highest-ROI security measures you can take — low configuration cost, significant attack surface reduction. But there are 11 of them to know, each with its own quirks.

I built a reference tool covering all 11, with risk levels, what attacks they prevent, recommended values, and copy-ready code for Express, nginx, and Apache.

Tool

HTTP Security Headers Reference
https://devnestio.pages.dev/security-headers-ref/

Filter by risk level (Critical / High / Medium / Low), search by name or description, switch between framework snippets.

The 11 Headers

Critical

Strict-Transport-Security (HSTS)

Forces HTTPS connections for a specified duration. Prevents SSL stripping and MitM attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Enter fullscreen mode Exit fullscreen mode

Start with max-age=300 (5 min) to test, then ramp up. preload requires registration at hstspreload.org.

Content-Security-Policy (CSP)

Defines which origins can load scripts, styles, images, and frames. Prevents XSS and data injection.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'
Enter fullscreen mode Exit fullscreen mode

Use Content-Security-Policy-Report-Only to test without enforcing.

High

X-Frame-Options

Prevents clickjacking by controlling whether pages can be embedded in frames.

X-Frame-Options: DENY
Enter fullscreen mode Exit fullscreen mode

Modern alternative: use frame-ancestors 'none' in CSP instead (XFO as fallback for old browsers).

X-Content-Type-Options

Disables MIME sniffing. Prevents browsers from interpreting a text file as JavaScript.

X-Content-Type-Options: nosniff
Enter fullscreen mode Exit fullscreen mode

nosniff is the only valid value. No compatibility issues — add it to everything.

Medium

Referrer-Policy

Controls what the Referer header contains when navigating away. Prevents leaking URL params or session tokens.

Referrer-Policy: strict-origin-when-cross-origin
Enter fullscreen mode Exit fullscreen mode

Permissions-Policy (formerly Feature-Policy)

Disables browser APIs you do not need: camera, microphone, geolocation, payment.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Enter fullscreen mode Exit fullscreen mode

Cross-Origin Trio: COEP, COOP, CORP

Protect against Spectre-style side-channel attacks and XS-Leaks:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Enter fullscreen mode Exit fullscreen mode

Required to enable SharedArrayBuffer in modern browsers.

Low

X-XSS-Protection

Activated XSS filters in old browsers. Modern browsers have removed the XSS auditor. Recommended value is now 0 when you have CSP:

X-XSS-Protection: 0
Enter fullscreen mode Exit fullscreen mode

Cache-Control (for sensitive responses)

Prevents CDNs and proxies from caching private data:

Cache-Control: no-store, private
Enter fullscreen mode Exit fullscreen mode

Quick Implementation with Helmet (Node.js)

npm install helmet
Enter fullscreen mode Exit fullscreen mode
const helmet = require('helmet');

app.use(helmet()); // Sets HSTS, XFO, XCTO, RP, and more

// CSP needs customization for your app
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    frameAncestors: ["'none'"],
  },
}));
Enter fullscreen mode Exit fullscreen mode

nginx — Set All at Once

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; frame-ancestors 'none'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header X-XSS-Protection "0" always;
Enter fullscreen mode Exit fullscreen mode

The Low-Hanging Fruit

If you configure nothing else today, add these four — they are trivial to set with no side effects:

  1. X-Content-Type-Options: nosniff
  2. X-Frame-Options: DENY
  3. Referrer-Policy: strict-origin-when-cross-origin
  4. Strict-Transport-Security: max-age=31536000; includeSubDomains

Then tackle CSP when you have time to test it in report-only mode.

https://devnestio.pages.dev/security-headers-ref/

Top comments (0)