Security Headers Explained: HSTS, CSP, X-Frame-Options & More
A handful of free response headers can meaningfully harden any website against clickjacking, XSS, and downgrade attacks. Here's what each one actually does.
Why Security Headers Matter
Most web application attacks — cross-site scripting, clickjacking, MIME-sniffing exploits, protocol downgrade attacks — have a browser-enforceable defense available via response headers. They cost nothing (no license, no infrastructure), require no application code changes in most frameworks, and take effect the moment they're deployed. Yet studies of the web's top sites repeatedly find the majority still missing several of them.
HSTS — Strict-Transport-Security
HSTS instructs the browser to only ever connect to your domain over HTTPS for a specified duration, even if a user types http:// or clicks an old HTTP link. This closes the window for SSL-stripping downgrade attacks, where an attacker on the network intercepts the initial HTTP request before it gets redirected to HTTPS.
Example: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy (CSP)
CSP is an allow-list telling the browser exactly which sources are permitted to load scripts, styles, images, fonts, and other resources from. It is widely considered the single most effective defense against cross-site scripting (XSS), since even if an attacker manages to inject a malicious script tag, the browser will refuse to execute it if its source isn't on the allow-list.
A restrictive example: Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com
For a deeper technical breakdown of every CSP directive, read our dedicated guide: How Content-Security-Policy Works.
X-Frame-Options
Controls whether your page can be embedded inside an <iframe> on another site. Without it, an attacker can overlay your page inside a disguised, invisible iframe and trick users into clicking buttons they think belong to a different, harmless-looking site — a technique called clickjacking.
X-Frame-Options: DENY blocks all framing. SAMEORIGIN allows framing only by pages on your own domain. CSP's frame-ancestors directive is the modern replacement and offers finer control.
X-Content-Type-Options
Set to nosniff, this single header stops browsers from trying to guess a file's content type based on its content rather than its declared Content-Type. Without it, a malicious file disguised as an image could, in certain older browser configurations, get executed as a script instead.
Referrer-Policy
Controls how much of your page's URL is sent as the Referer header when a visitor clicks a link to another site. Overly permissive defaults can leak internal paths, search queries, or even session tokens accidentally embedded in a URL. A common safe default: strict-origin-when-cross-origin.
Permissions-Policy
Lets a site explicitly restrict which powerful browser features — camera, microphone, geolocation, USB access, and more — it and any embedded iframes are allowed to use, reducing the attack surface even if a third-party script gets compromised.
How Grading Works
| Header | Typical Weight | Why It's Weighted This Way |
|---|---|---|
| Content-Security-Policy | Highest | Primary defense against XSS, the most common web vulnerability class |
| Strict-Transport-Security | High | Prevents an entire class of network-level downgrade attacks |
| X-Frame-Options | Medium | Blocks clickjacking specifically |
| X-Content-Type-Options | Lower | Narrow but free — no reason to skip it |
| Referrer-Policy / Permissions-Policy | Lower | Reduce information leakage and feature abuse rather than block a direct exploit class |
How to Check Your Headers
Run any domain through our Security Headers Checker for an instant grade, a header-by-header breakdown, and specific recommendations for whatever's missing or misconfigured.