← Lessons

quiz vs the machine

Silver1120

Security

HTTP Security Headers

A set of response headers that harden browser behavior with little code.

4 min read · intro · beat Silver to climb

What They Are

HTTP security headers are response headers that instruct the browser to apply protective behaviors. They are cheap to add and provide defense in depth across many common web attacks.

Important Headers

  • Strict Transport Security forces browsers to use HTTPS and refuse downgrade to plain HTTP.
  • X Content Type Options nosniff stops the browser from guessing content types, which prevents some injection tricks.
  • Referrer Policy limits how much of the URL is shared with other sites.
  • Content Security Policy restricts where scripts and resources may load from.

Applying Them

  • Set headers centrally at a gateway or middleware so every response is consistent.
  • Test with a header scanner and confirm headers survive redirects and error pages.
  • Combine headers, since each closes a different gap rather than replacing the others.

Key idea

Security headers are low effort defense in depth, so set a consistent strong set centrally and verify they appear on every response.

Check yourself

Answer to earn rating on the learn ladder.

1. What does Strict Transport Security do?

2. What does X Content Type Options nosniff prevent?