{
    "slug": "http_header_security_audit",
    "term": "HTTP Security Headers Checklist",
    "category": "security",
    "difficulty": "intermediate",
    "short": "A set of response headers that instruct browsers to enforce security policies — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy.",
    "long": "Key security headers: Content-Security-Policy (controls which resources can load — mitigates XSS), Strict-Transport-Security (forces HTTPS for a duration), X-Frame-Options / frame-ancestors (prevents clickjacking), X-Content-Type-Options: nosniff (prevents MIME sniffing), Referrer-Policy (controls what referrer is sent), Permissions-Policy (disables browser features like camera/microphone). Tools: securityheaders.com grades your headers. Add headers in nginx config, not PHP, for performance.",
    "aliases": [
        "security headers",
        "CSP",
        "HSTS",
        "X-Frame-Options",
        "HTTP headers"
    ],
    "tags": [
        "security",
        "http",
        "headers"
    ],
    "misconception": "Security headers are set-and-forget — CSP in particular requires ongoing maintenance as you add new third-party scripts; a too-loose CSP provides no protection.",
    "why_it_matters": "Missing security headers are consistently flagged in penetration tests and security audits — they are low-effort, high-impact controls that protect against entire classes of attacks.",
    "common_mistakes": [
        "CSP with 'unsafe-inline' — negates most of the XSS protection; use nonces or hashes instead.",
        "HSTS without includeSubDomains — subdomains can still be attacked over HTTP.",
        "Setting security headers in PHP instead of nginx/Apache — adds overhead on every request; set at the server level.",
        "Not testing headers with securityheaders.com or Mozilla Observatory after deployment."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "content_security_policy",
        "hsts",
        "clickjacking",
        "security_misconfiguration"
    ],
    "prerequisites": [
        "security_headers",
        "content_security_policy",
        "hsts"
    ],
    "refs": [
        "https://securityheaders.com/",
        "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security"
    ],
    "bad_code": "# nginx — no security headers:\nserver {\n    listen 443 ssl;\n    location / {\n        proxy_pass http://app:9000;\n        # No security headers — fails any security audit\n    }\n}",
    "good_code": "# nginx — full security header set:\nadd_header Strict-Transport-Security   'max-age=31536000; includeSubDomains; preload' always;\nadd_header X-Frame-Options             'DENY' always;\nadd_header X-Content-Type-Options      'nosniff' always;\nadd_header Referrer-Policy             'strict-origin-when-cross-origin' always;\nadd_header Permissions-Policy          'geolocation=(), microphone=(), camera=()' always;\nadd_header Content-Security-Policy     \"default-src 'self'; script-src 'self' 'nonce-$csp_nonce'; style-src 'self' 'unsafe-inline'\" always;\n# Test at: https://securityheaders.com",
    "quick_fix": "Run your site through securityheaders.com — the six essential headers are: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, and Permissions-Policy",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/http_header_security_audit",
        "html_url": "https://codeclaritylab.com/glossary/http_header_security_audit",
        "json_url": "https://codeclaritylab.com/glossary/http_header_security_audit.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[HTTP Security Headers Checklist](https://codeclaritylab.com/glossary/http_header_security_audit) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/http_header_security_audit"
            }
        }
    }
}