Security Header Must Haves
Checklist and explanation of the essential HTTP security headers you must implement on every website in 2025.
The "Must-Have" List
To get an A+ rating on SecurityHeaders.com, you need these 6 headers:
| Header | Importance | Function |
|---|---|---|
| Strict-Transport-Security (HSTS) | đ¨ Critical | Enforces HTTPS. Prevents downgrade attacks. |
| X-Content-Type-Options | â High | Stops browser performing "MIME sniffing". |
| X-Frame-Options | â High | Prevents Clickjacking (site embedded in iframe). |
| Referrer-Policy | âšī¸ Medium | Controls privacy of referrer data. |
| Content-Security-Policy (CSP) | đĄī¸ Advanced | Controls where resources can load from (XSS protection). |
| Permissions-Policy | đ Privacy | Controls browser features (Camera, Mic, GPS). |
1. Strict-Transport-Security (HSTS)
Prevents users from ever connecting over insecure HTTP.
Value:
max-age=31536000; includeSubDomains; preload2. X-Content-Type-Options
Tells the browser: "If I say it's an image, treat it as an image. Don't guess." Prevents executable uploads disguised as images from running.
Value:
nosniff3. X-Frame-Options
Protects against "Clickjacking" where a hacker overlays your site with an invisible button.
Value:
SAMEORIGIN
# or
DENY4. Referrer-Policy
Protects user privacy by stripping paths from URLs when clicking links to external sites.
Value:
strict-origin-when-cross-origin5. Content-Security-Policy (CSP)
The most complex but powerful header. It whitelists valid sources of scripts, styles, and images.
Basic Value (Self-only):
default-src 'self';Recommended Starting Point:
default-src 'self'; img-src * data:; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline';6. Permissions-Policy
Replaces the old "Feature-Policy". It tells the browser what hardware APIs the site is allowed to access.
Recommended Value (Privacy-focused):
geolocation=(), microphone=(), camera=(), payment=(), usb=()Implementation Cheat Sheet
Apache (.htaccess)
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=()"
</IfModule>Nginx (nginx.conf)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=()" always;
