Headers as Defense
HTTP response headers let a server instruct the browser to enforce protections on its behalf. They are cheap to add and provide a strong layer of defense in depth, since the browser becomes a cooperating enforcement point.
The Core Set
- Content Security Policy restricts where scripts, styles, and other resources may load from, blunting cross site scripting.
- Strict Transport Security forces the browser to use HTTPS for future visits, stopping downgrade attacks.
- X Content Type Options with nosniff stops the browser from guessing a different content type than declared.
- X Frame Options or a frame ancestors policy blocks your pages from being embedded, defeating clickjacking.
- Referrer Policy limits how much of the URL leaks to other sites.
Using Them Well
Add headers globally at the edge or in middleware so no route is forgotten. Roll out a Content Security Policy in report only mode first to find breakage before enforcing it. Headers complement, but never replace, server side controls.
Key idea
A small set of response headers, led by Content Security Policy and Strict Transport Security, turns the browser into an enforcement point that adds real defense in depth, best applied globally and rolled out carefully.