CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

HTTP Security Headers Checklist

security Intermediate

Also Known As

security headers CSP HSTS X-Frame-Options HTTP headers

TL;DR

A set of response headers that instruct browsers to enforce security policies — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy.

Explanation

Key security headers: Content-Security-Policy (controls which resources can load — mitigates XSS), Strict-Transport-Security (forces HTTPS for a duration), X-Frame-Options / frame-ancestors (prevents clickjacking), X-Content-Type-Options: nosniff (prevents MIME sniffing), Referrer-Policy (controls what referrer is sent), Permissions-Policy (disables browser features like camera/microphone). Tools: securityheaders.com grades your headers. Add headers in nginx config, not PHP, for performance.

Common Misconception

Security headers are set-and-forget — CSP in particular requires ongoing maintenance as you add new third-party scripts; a too-loose CSP provides no protection.

Why It Matters

Missing security headers are consistently flagged in penetration tests and security audits — they are low-effort, high-impact controls that protect against entire classes of attacks.

Common Mistakes

  • CSP with 'unsafe-inline' — negates most of the XSS protection; use nonces or hashes instead.
  • HSTS without includeSubDomains — subdomains can still be attacked over HTTP.
  • Setting security headers in PHP instead of nginx/Apache — adds overhead on every request; set at the server level.
  • Not testing headers with securityheaders.com or Mozilla Observatory after deployment.

Code Examples

✗ Vulnerable 
# nginx — no security headers:
server {
    listen 443 ssl;
    location / {
        proxy_pass http://app:9000;
        # No security headers — fails any security audit
    }
}
✓ Fixed 
# nginx — full security header set:
add_header Strict-Transport-Security   'max-age=31536000; includeSubDomains; preload' always;
add_header X-Frame-Options             'DENY' always;
add_header X-Content-Type-Options      'nosniff' always;
add_header Referrer-Policy             'strict-origin-when-cross-origin' always;
add_header Permissions-Policy          'geolocation=(), microphone=(), camera=()' always;
add_header Content-Security-Policy     "default-src 'self'; script-src 'self' 'nonce-$csp_nonce'; style-src 'self' 'unsafe-inline'" always;
# Test at: https://securityheaders.com
Added 15 Mar 2026
Edited 22 Mar 2026
Views 19

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 2 pings S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Google 3 ChatGPT 2 Perplexity 1 Ahrefs 1 SEMrush 1
Also referenced
Security Misconfiguration 33 Content Security Policy (CSP) 26 Clickjacking 26 HTTP Strict Transport Security (HSTS) 23
How they use it
crawler 13 crawler_json 3
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Run your site through securityheaders.com — the six essential headers are: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, and Permissions-Policy
📦 Applies To
any web
🔗 Prerequisites
🔍 Detection Hints
Missing security headers; X-Powered-By: PHP exposing version; no CSP header; HSTS not configured
Auto-detectable: ✓ Yes securityheaders.com owasp-zap ssllabs lighthouse
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-693 CWE-116
✓ schema.org compliant