Security Header Policy Builder
Build a practical security header policy with deploy-ready output for your web application.
Understanding Security Headers
Security headers are HTTP response headers that instruct browsers how to behave when handling your site's content. They provide an additional layer of security by preventing common web vulnerabilities.
Essential Security Headers
Content-Security-Policy (CSP)
The most powerful security header. CSP prevents Cross-Site Scripting (XSS) and other code injection attacks by controlling which resources can be loaded and executed.
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com;
Key Directives:
- default-src: Fallback for all resource types
- script-src: Controls JavaScript sources
- style-src: Controls stylesheet sources
- img-src: Controls image sources
- connect-src: Controls AJAX, WebSocket connections
- font-src: Controls font sources
- frame-ancestors: Controls who can embed your site
Strict-Transport-Security (HSTS)
Forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Parameters:
- max-age: Time in seconds (31536000 = 1 year)
- includeSubDomains: Apply to all subdomains
- preload: Submit to browser preload list
X-Frame-Options
Prevents clickjacking attacks by controlling whether your site can be embedded in frames or iframes.
X-Frame-Options: DENY
Options:
- DENY: Cannot be framed at all (most secure)
- SAMEORIGIN: Can only be framed by same origin
- ALLOW-FROM uri: Can be framed by specific URI (deprecated)
X-Content-Type-Options
Prevents MIME type sniffing, forcing browsers to respect declared content types.
X-Content-Type-Options: nosniff
X-XSS-Protection
Legacy header that enables browser's built-in XSS filter. Being replaced by CSP but still useful for older browsers.
X-XSS-Protection: 1; mode=block
Referrer-Policy
Controls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-origin
Options:
- no-referrer: Never send referrer
- same-origin: Send only for same-origin requests
- strict-origin: Send origin only for HTTPS
- strict-origin-when-cross-origin: Recommended balance
Permissions-Policy
Controls which browser features and APIs can be used (formerly Feature-Policy).
Permissions-Policy: geolocation=(), microphone=(), camera=()
Cross-Origin Headers
Control cross-origin resource sharing and isolation:
- Cross-Origin-Embedder-Policy: Prevents loading cross-origin resources without explicit permission
- Cross-Origin-Opener-Policy: Isolates browsing context
- Cross-Origin-Resource-Policy: Protects against cross-origin attacks
Implementation Guide
Testing Your Headers
After implementing security headers, test them using:
- securityheaders.com - Comprehensive header scanner
- Mozilla Observatory - Security analysis tool
- Browser Developer Tools - Network tab
Gradual Implementation
- Start with report-only: Use CSP report-only mode to test without breaking
- Monitor reports: Check for violations and adjust policy
- Tighten gradually: Start permissive, gradually restrict
- Test thoroughly: Verify all functionality works
- Enable enforcement: Switch from report-only to enforcement
Common Pitfalls
CSP Breaking Inline Scripts
CSP blocks inline JavaScript by default. Use nonces or hashes for inline scripts, or move scripts to external files.
HSTS Preload Commitment
HSTS preload is permanent. Only submit if you're certain your site will always use HTTPS.
Frame Options vs CSP
Use both X-Frame-Options and CSP frame-ancestors for maximum compatibility.
Security Score
A+ Rating Requirements:
- Content-Security-Policy
- Strict-Transport-Security
- X-Frame-Options or CSP frame-ancestors
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
Quick Reference
Header Priority
- CSP (most important)
- HSTS
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
CSP Keywords
'self'- Same origin'none'- Block all'unsafe-inline'- Allow inline (avoid)'unsafe-eval'- Allow eval (avoid)