{ "slug": "security_headers", "term": "HTTP Security Headers", "category": "security", "difficulty": "beginner", "short": "A set of HTTP response headers that instruct browsers to enforce security policies, reducing XSS, clickjacking, and data leakage risks.", "long": "Key security headers and their purpose: Content-Security-Policy (restricts resource loading, mitigates XSS), X-Frame-Options (prevents clickjacking — superseded by CSP frame-ancestors), X-Content-Type-Options: nosniff (prevents MIME-type sniffing), Referrer-Policy (controls referrer leakage), Permissions-Policy (restricts browser feature access), Strict-Transport-Security (enforces HTTPS), and Cross-Origin-Opener-Policy/Cross-Origin-Embedder-Policy (isolation for SharedArrayBuffer). Use securityheaders.com to audit. In PHP, emit all headers before output.", "aliases": [ "HTTP security headers", "response security headers" ], "tags": [ "headers", "browser", "defence-in-depth" ], "misconception": "Setting security headers fully secures a site. Headers are a defence-in-depth layer — a misconfigured CSP, missing SameSite, or absent HSTS still leaves specific attack vectors open. They complement but do not replace proper application-level security.", "why_it_matters": "Security headers are a low-effort, high-impact defence layer — each header closes a distinct browser-exploitable attack vector with a single line of configuration.", "common_mistakes": [ "Not setting Content-Security-Policy — leaves XSS execution unrestricted even after injection.", "Omitting X-Content-Type-Options: nosniff — browsers may interpret uploaded files as executable.", "Setting X-Frame-Options instead of CSP frame-ancestors — the latter supersedes it in modern browsers.", "Using a permissive CSP like unsafe-inline or unsafe-eval which negates most of its protection." ], "when_to_use": [], "avoid_when": [], "related": [ "content_security_policy", "hsts", "clickjacking", "xss" ], "prerequisites": [ "content_security_policy", "hsts", "clickjacking" ], "refs": [ "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html", "https://securityheaders.com/" ], "bad_code": "// No security headers set — default browser behaviour", "good_code": "header('X-Content-Type-Options: nosniff');\nheader('X-Frame-Options: DENY');\nheader('Referrer-Policy: strict-origin-when-cross-origin');\nheader('Permissions-Policy: geolocation=(), microphone=()');", "quick_fix": "Add these 5 headers to every PHP response: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin, Permissions-Policy", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/security_headers", "html_url": "https://codeclaritylab.com/glossary/security_headers", "json_url": "https://codeclaritylab.com/glossary/security_headers.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[HTTP Security Headers](https://codeclaritylab.com/glossary/security_headers) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/security_headers" } } } }