HTTP Security Headers Checklist

Add the most important security headers — CSP, HSTS, X-Frame-Options, CORP, and Permissions-Policy.

Published: 2026-02-05

Tags: HTTP security headers checklist, web security headers, browser security header guide

HTTP Security Headers Checklist Security headers are one of the highest-return security improvements a web server can implement. A single or change can eliminate entire classes of attack. This checklist covers the most important headers, what each one protects against, and concrete configuration examples. --- All the tools discussed here are available for free at theproductguy.in — client-side, no sign-up required. Part of the HTTP Debugging Tools Guide — a complete toolkit for diagnosing web requests. --- What is the essential five? According to securityheaders.com, fewer than 5% of sites score an "A" grade on security headers. The five headers below cover the most impactful attack vectors and require minimal configuration. Strict-Transport-Security (HSTS) Protects against: Protocol…

Frequently Asked Questions

What security headers should every website have?

Every web server should return at minimum: Strict-Transport-Security (force HTTPS), X-Content-Type-Options: nosniff (prevent MIME sniffing), X-Frame-Options: DENY or SAMEORIGIN (prevent clickjacking), Referrer-Policy (control referrer leakage), and Content-Security-Policy (restrict resource loading). These five headers cover the highest-impact attack vectors with minimal configuration effort.

What is Content-Security-Policy?

Content-Security-Policy (CSP) is a security header that tells browsers which sources of content are allowed to load — scripts, styles, images, fonts, frames, and more. A strict CSP is one of the most effective defenses against XSS attacks because even if an attacker injects a script tag, the browser won't execute it if the source isn't in the allowlist.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only connect to a site over HTTPS — never HTTP — for a specified duration. Once a browser has seen the HSTS header, it will refuse any HTTP connections to that domain and automatically upgrade them to HTTPS, even before the server responds.

What is X-Content-Type-Options?

X-Content-Type-Options: nosniff tells browsers to not guess (sniff) the MIME type of a response and to strictly follow the declared Content-Type. This prevents MIME confusion attacks where a server declares text/plain but the browser decides the content looks like JavaScript and executes it. It should be set on every response.

How do I test my HTTP security headers?

The most common testing tools are securityheaders.com (instant graded report), Observatory by Mozilla (security.mozilla.org/analyze), and the Chrome/Firefox DevTools Security panel. Use the free HTTP Header Inspector to paste raw response headers and analyze them offline, or check your Amplify/Nginx/Apache config against this checklist.

All articles · theproductguy.in