Guide
HTTP security headers, and how to check them
Security headers are short instructions your server sends with every response that tell the browser how to protect your users. They're cheap to add, easy to forget, and among the first things an external review looks at. Here's what the important ones do and a sensible value to start from.
Updated June 7, 2026
Strict-Transport-Security
Forces browsers to use HTTPS for every future request to your domain.
Once a browser has seen this header (commonly called HSTS), it refuses to connect over plain HTTP, closing the window where a first request can be intercepted or downgraded. Use a long max-age once you're confident HTTPS is solid across the domain.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Security-Policy
Controls which sources the browser may load scripts, styles, and other content from.
A Content-Security-Policy (CSP) is the strongest browser-side defense against cross-site scripting and content injection, because it constrains where executable content can come from. Start restrictive and widen deliberately; an over-broad policy gives little protection.
Content-Security-Policy: default-src 'self'X-Frame-Options
Stops other sites from embedding your pages in a frame.
This blocks clickjacking, where an attacker loads your page invisibly over their own to trick users into clicking. Modern policies can also be expressed via CSP's frame-ancestors, but X-Frame-Options remains a widely honored, simple control.
X-Frame-Options: DENYX-Content-Type-Options
Tells the browser not to guess (sniff) a response's content type.
Without it, a browser may interpret a file as a different type than you intended, for example treating an uploaded file as executable script. The single value nosniff removes that ambiguity.
X-Content-Type-Options: nosniffReferrer-Policy
Limits how much URL information is shared when users navigate away.
Full referrer URLs can leak internal paths, tokens, or identifiers to third parties. A balanced policy keeps the origin for cross-site requests while withholding the full path.
Referrer-Policy: strict-origin-when-cross-originPermissions-Policy
Declares which browser features (camera, geolocation, etc.) a page may use.
Disabling features you don't need shrinks what a compromised script or embedded third party can reach. Grant capabilities explicitly, denying the rest by default.
Permissions-Policy: geolocation=(), camera=(), microphone=()How to check which headers your site sends
You can inspect response headers in your browser's developer tools under the Network tab, or with a request from the command line:
curl -sI https://your-domain.example | grep -i -E 'strict-transport|content-security|x-frame|x-content-type|referrer-policy|permissions-policy'For an at-a-glance read across TLS, headers, DNS, and more, run a free exposure review and let WebGuard report which protective headers are present, missing, or weak. See the full list on the What we check page.
Check your headers in seconds
Run a read-only exposure review on a public domain and see your header posture alongside TLS and DNS hygiene, with no account required to start.