HTTP Security Headers
What is HTTP Security Headers?
HTTP Security HeadersResponse headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
HTTP security headers are a low-cost, high-impact way to harden web applications by leveraging built-in browser protections. The core set includes 'Strict-Transport-Security' (HSTS), 'Content-Security-Policy' (CSP), 'X-Content-Type-Options: nosniff', 'X-Frame-Options' or 'frame-ancestors', 'Referrer-Policy', 'Permissions-Policy', 'Cross-Origin-Opener-Policy' and 'Cross-Origin-Resource-Policy'. Each header mitigates a specific class of attack — protocol downgrade, MIME sniffing, clickjacking, leakage via referrer, abusive feature access or cross-origin isolation issues. They should be deployed on every response (including error pages and APIs), tested with tools such as securityheaders.com or Mozilla Observatory and treated as part of the application's configuration baseline.
● Examples
- 01
'Strict-Transport-Security: max-age=63072000; includeSubDomains; preload' to enforce HTTPS-only access.
- 02
'Referrer-Policy: no-referrer' on internal admin endpoints to prevent leaking URLs to third parties.
● Frequently asked questions
What is HTTP Security Headers?
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls. It belongs to the Application Security category of cybersecurity.
What does HTTP Security Headers mean?
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
How do you defend against HTTP Security Headers?
Defences for HTTP Security Headers typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP Security Headers?
Common alternative names include: Security response headers.