CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

HTTP Security Headers

Security CWE-16 OWASP A5:2021 PHP 5.0+ Beginner
debt(d3/e2/b2/t5)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3), since securityheaders.com, OWASP ZAP, and Lighthouse readily flag missing headers in any automated scan — it's not silent, but you do need to actually run a scanner.

e2 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1), bumped slightly to 2 because the quick_fix is literally adding 5 header lines in one central response/middleware location — trivial but multi-line.

b2 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), scored 2 because headers are typically set once in a middleware or front controller; they apply web-context only and don't shape the rest of the codebase.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap most devs eventually learn' (t5), grounded in the misconception that headers alone secure a site, plus subtle gotchas like X-Frame-Options vs CSP frame-ancestors and permissive CSP directives negating protection.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

HTTP security headers response security headers

TL;DR

A set of HTTP response headers that instruct browsers to enforce security policies, reducing XSS, clickjacking, and data leakage risks.

Explanation

Key security headers and their purpose: Content-Security-Policy (restricts resource loading, mitigates XSS), X-Frame-Options (prevents clickjacking — superseded by CSP frame-ancestors), X-Content-Type-Options: nosniff (prevents MIME-type sniffing), Referrer-Policy (controls referrer leakage), Permissions-Policy (restricts browser feature access), Strict-Transport-Security (enforces HTTPS), and Cross-Origin-Opener-Policy/Cross-Origin-Embedder-Policy (isolation for SharedArrayBuffer). Use securityheaders.com to audit. In PHP, emit all headers before output.

Common Misconception

Setting security headers fully secures a site. Headers are a defence-in-depth layer — a misconfigured CSP, missing SameSite, or absent HSTS still leaves specific attack vectors open. They complement but do not replace proper application-level security.

Why It Matters

Security headers are a low-effort, high-impact defence layer — each header closes a distinct browser-exploitable attack vector with a single line of configuration.

Common Mistakes

  • Not setting Content-Security-Policy — leaves XSS execution unrestricted even after injection.
  • Omitting X-Content-Type-Options: nosniff — browsers may interpret uploaded files as executable.
  • Setting X-Frame-Options instead of CSP frame-ancestors — the latter supersedes it in modern browsers.
  • Using a permissive CSP like unsafe-inline or unsafe-eval which negates most of its protection.

Code Examples

✗ Vulnerable 
// No security headers set — default browser behaviour
✓ Fixed 
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Permissions-Policy: geolocation=(), microphone=()');
Added 15 Mar 2026
Edited 22 Mar 2026
Views 71

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 1 ping T 0 pings W 3 pings T 1 ping F 4 pings S 4 pings S 2 pings M 2 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Scrapy 14 Amazonbot 10 Perplexity 7 SEMrush 5 Google 4 Ahrefs 4 ChatGPT 4 Unknown AI 3 Claude 2 Bing 2 PetalBot 2 Qwen 1
Also referenced
Cross-Site Scripting (XSS) 76 Content Security Policy (CSP) 59 HTTP Strict Transport Security (HSTS) 48 Clickjacking 48
How they use it
crawler 56 crawler_json 2
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add these 5 headers to every PHP response: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin, Permissions-Policy
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing security headers detected by securityheaders.com scan; MIME sniffing enabled no X-Content-Type-Options
Auto-detectable: ✓ Yes securityheaders.com owasp-zap lighthouse
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-693 CWE-1021 CWE-116
✓ schema.org compliant