CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

HTTP Security Headers

security CWE-16 OWASP A5:2021 PHP 5.0+ Beginner

Also Known As

HTTP security headers response security headers

TL;DR

A set of HTTP response headers that instruct browsers to enforce security policies, reducing XSS, clickjacking, and data leakage risks.

Explanation

Key security headers and their purpose: Content-Security-Policy (restricts resource loading, mitigates XSS), X-Frame-Options (prevents clickjacking — superseded by CSP frame-ancestors), X-Content-Type-Options: nosniff (prevents MIME-type sniffing), Referrer-Policy (controls referrer leakage), Permissions-Policy (restricts browser feature access), Strict-Transport-Security (enforces HTTPS), and Cross-Origin-Opener-Policy/Cross-Origin-Embedder-Policy (isolation for SharedArrayBuffer). Use securityheaders.com to audit. In PHP, emit all headers before output.

Common Misconception

Setting security headers fully secures a site. Headers are a defence-in-depth layer — a misconfigured CSP, missing SameSite, or absent HSTS still leaves specific attack vectors open. They complement but do not replace proper application-level security.

Why It Matters

Security headers are a low-effort, high-impact defence layer — each header closes a distinct browser-exploitable attack vector with a single line of configuration.

Common Mistakes

  • Not setting Content-Security-Policy — leaves XSS execution unrestricted even after injection.
  • Omitting X-Content-Type-Options: nosniff — browsers may interpret uploaded files as executable.
  • Setting X-Frame-Options instead of CSP frame-ancestors — the latter supersedes it in modern browsers.
  • Using a permissive CSP like unsafe-inline or unsafe-eval which negates most of its protection.

Code Examples

✗ Vulnerable 
// No security headers set — default browser behaviour
✓ Fixed 
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Permissions-Policy: geolocation=(), microphone=()');
Added 15 Mar 2026
Edited 22 Mar 2026
Views 35

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 3 pings S 0 pings S 3 pings M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 7 Unknown AI 3 Ahrefs 2 SEMrush 2 Google 1 ChatGPT 1
Also referenced
Cross-Site Scripting (XSS) 29 Content Security Policy (CSP) 26 Clickjacking 25 HTTP Strict Transport Security (HSTS) 23
How they use it
crawler 24
Related categories
security 4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add these 5 headers to every PHP response: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin, Permissions-Policy
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing security headers detected by securityheaders.com scan; MIME sniffing enabled no X-Content-Type-Options
Auto-detectable: ✓ Yes securityheaders.com owasp-zap lighthouse
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-693 CWE-1021 CWE-116
✓ schema.org compliant