Security Headers for Netlify — Complete Configuration

Netlify lets you set security headers in a _headers file at your project root or in netlify.toml. The _headers file is simpler. Here is the complete config for both approaches.

Using the _headers file

Create a file called _headers in your project root (same level as index.html). Netlify processes it automatically on deploy.

/*
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; object-src 'none';
  Cross-Origin-Opener-Policy: same-origin

/static/*
  Cache-Control: public, max-age=31536000, immutable

/api/*
  Cache-Control: no-store

Using netlify.toml

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "SAMEORIGIN"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "strict-origin-when-cross-origin"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
    Content-Security-Policy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; object-src 'none';"

[[headers]]
  for = "/static/*"
  [headers.values]
    Cache-Control = "public, max-age=31536000, immutable"

What Netlify adds automatically

Netlify automatically sets:

• HTTPS redirect (all HTTP traffic → HTTPS)
• X-Content-Type-Options: nosniff (on some plans)

Everything else — HSTS, CSP, X-Frame-Options — you must set explicitly. Use HeadersFixer to verify what is actually being sent after deploy.

Testing before going live

# Deploy to a preview URL first
netlify deploy

# Then verify headers on the preview URL
curl -I https://deploy-preview-123--yoursite.netlify.app/