Security headers are HTTP response headers that web servers send to instruct browsers on how to behave when handling the site's content. They enable built-in browser security features that protect against cross-site scripting, clickjacking, MIME-type sniffing, and other common web attacks. Properly configured security headers add a significant layer of defense without requiring changes to the application's code.
How It Works
Each security header addresses a specific threat. Content-Security-Policy (CSP) controls which sources of content the browser is allowed to load, preventing inline script execution and restricting resource origins to mitigate cross-site scripting. X-Frame-Options or the CSP frame-ancestors directive prevents the page from being loaded in an iframe, blocking clickjacking attacks. Strict-Transport-Security (HSTS) forces browsers to use HTTPS for all future requests to the domain, preventing protocol downgrade attacks and cookie hijacking.
X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing, which could cause a harmless-looking file to be interpreted as executable content. Referrer-Policy controls how much URL information is leaked to other sites through the Referer header. Permissions-Policy (formerly Feature-Policy) restricts access to browser features like the camera, microphone, and geolocation, limiting what embedded content can do.
Security headers are typically configured at the web server or reverse proxy level, applied globally to all responses. They can also be set by the application framework or through meta tags, though HTTP headers are preferred because they cover all response types including API responses and error pages. Configuration requires careful testing because overly restrictive policies, particularly CSP, can break legitimate application functionality.
Why It Matters
Missing or misconfigured security headers are among the most common findings in security assessments. They represent low-effort, high-value security improvements because they leverage built-in browser protections that require no application code changes. While security headers alone cannot fix underlying vulnerabilities, they significantly raise the difficulty of exploitation and provide defense-in-depth against entire categories of web attacks.
Need your application tested? Get in touch.