Security Headers Explained: The Complete Guide

Security headers protect your visitors from XSS, clickjacking, MIME sniffing, and other browser-based attacks.

Essential Security Headers

Strict-Transport-Security (HSTS)

Forces browsers to only connect via HTTPS.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content-Security-Policy (CSP)

Controls which resources the browser can load.

Content-Security-Policy: default-src 'self'; script-src 'self'

X-Content-Type-Options

Prevents MIME-type sniffing attacks.

X-Content-Type-Options: nosniff

X-Frame-Options

Prevents clickjacking by controlling iframe embedding.

X-Frame-Options: DENY

Referrer-Policy

Controls how much referrer information is shared.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Restricts access to browser APIs like camera and microphone.

Permissions-Policy: camera=(), microphone=(), geolocation=()

Check your domain now

See how your domain scores on SSL, security headers, and more.

$
Security Headers Explained: The Complete Guide | SiteProbe