Security response headers are one of the highest-ROI security measures you can take — low configuration cost, significant attack surface reduction. But there are 11 of them to know, each with its own quirks.
I built a reference tool covering all 11, with risk levels, what attacks they prevent, recommended values, and copy-ready code for Express, nginx, and Apache.
Tool
HTTP Security Headers Reference
https://devnestio.pages.dev/security-headers-ref/
Filter by risk level (Critical / High / Medium / Low), search by name or description, switch between framework snippets.
The 11 Headers
Critical
Strict-Transport-Security (HSTS)
Forces HTTPS connections for a specified duration. Prevents SSL stripping and MitM attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Start with max-age=300 (5 min) to test, then ramp up. preload requires registration at hstspreload.org.
Content-Security-Policy (CSP)
Defines which origins can load scripts, styles, images, and frames. Prevents XSS and data injection.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'
Use Content-Security-Policy-Report-Only to test without enforcing.
High
X-Frame-Options
Prevents clickjacking by controlling whether pages can be embedded in frames.
X-Frame-Options: DENY
Modern alternative: use frame-ancestors 'none' in CSP instead (XFO as fallback for old browsers).
X-Content-Type-Options
Disables MIME sniffing. Prevents browsers from interpreting a text file as JavaScript.
X-Content-Type-Options: nosniff
nosniff is the only valid value. No compatibility issues — add it to everything.
Medium
Referrer-Policy
Controls what the Referer header contains when navigating away. Prevents leaking URL params or session tokens.
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy (formerly Feature-Policy)
Disables browser APIs you do not need: camera, microphone, geolocation, payment.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Cross-Origin Trio: COEP, COOP, CORP
Protect against Spectre-style side-channel attacks and XS-Leaks:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Required to enable SharedArrayBuffer in modern browsers.
Low
X-XSS-Protection
Activated XSS filters in old browsers. Modern browsers have removed the XSS auditor. Recommended value is now 0 when you have CSP:
X-XSS-Protection: 0
Cache-Control (for sensitive responses)
Prevents CDNs and proxies from caching private data:
Cache-Control: no-store, private
Quick Implementation with Helmet (Node.js)
npm install helmet
const helmet = require('helmet');
app.use(helmet()); // Sets HSTS, XFO, XCTO, RP, and more
// CSP needs customization for your app
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
frameAncestors: ["'none'"],
},
}));
nginx — Set All at Once
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; frame-ancestors 'none'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header X-XSS-Protection "0" always;
The Low-Hanging Fruit
If you configure nothing else today, add these four — they are trivial to set with no side effects:
X-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: strict-origin-when-cross-originStrict-Transport-Security: max-age=31536000; includeSubDomains
Then tackle CSP when you have time to test it in report-only mode.
Top comments (0)