How many security headers should my site have?

At minimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Ideally also CSP, Permissions-Policy, COOP, and COEP.

Which header is most important?

Content-Security-Policy for XSS protection. Strict-Transport-Security for HTTPS enforcement. Both are essential for production sites.

Reference

Complete HTTP Security Headers Reference

Every security header your server should be sending, with example values, what they protect against, and links to the relevant specs. Use this alongside HeadersFixer to verify your site sends all of them.

Strict-Transport-Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Protects against: SSL stripping, HTTP downgrade attacks. Common mistake: Adding before HTTPS works fully, or setting max-age too low. Spec: RFC 6797.

Content-Security-Policy (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; object-src 'none';

Protects against: XSS, data injection, resource injection. Common mistake: Using unsafe-inline which defeats XSS protection. Spec: W3C CSP Level 3.

X-Frame-Options

X-Frame-Options: SAMEORIGIN

Protects against: Clickjacking. Values: DENY (no iframes), SAMEORIGIN (same domain only). Note: Superseded by CSP frame-ancestors in modern browsers. Use both.

X-Content-Type-Options

X-Content-Type-Options: nosniff

Protects against: MIME type confusion attacks. Common mistake: None — this one has no configuration options. Just add it. Spec: WHATWG Fetch Standard.

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

Protects against: URL leakage to third parties via the Referer header. Values: no-referrer, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url. Default (no header): strict-origin-when-cross-origin in modern browsers — but set it explicitly anyway.

Permissions-Policy

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

Protects against: Third-party scripts accessing browser features. Common mistake: Not setting it — third-party analytics scripts may have access to device APIs by default. Spec: W3C Permissions Policy.

Cross-Origin-Opener-Policy (COOP)

Cross-Origin-Opener-Policy: same-origin

Protects against: Cross-origin window access, Spectre-style attacks. Required for: SharedArrayBuffer, high-resolution timers. Values: same-origin, same-origin-allow-popups, unsafe-none.

Cross-Origin-Embedder-Policy (COEP)

Cross-Origin-Embedder-Policy: require-corp

Required alongside COOP for cross-origin isolation. Values: require-corp, credentialless, unsafe-none. Caution: Can break third-party resources that do not set CORP headers.

Cross-Origin-Resource-Policy (CORP)

Cross-Origin-Resource-Policy: same-origin

Protects against: Cross-origin reads of your resources. Values: same-site, same-origin, cross-origin. Required when: Your resources are embedded in a COEP-enabled site.

Server (remove or redact)

Server: Apache   # replace or remove entirely

Default behavior: Nginx sends "nginx/1.24.0", Apache sends "Apache/2.4.57". Revealing versions helps attackers target known vulnerabilities. Set to a generic value or remove.

Scan your security headers → HeadersFixer