1. Home
  2. Security Hardening
  3. Headers
  4. What are Security Headers?

What are Security Headers?

Security headers are HTTP response headers that provide an additional layer of security for web applications by helping to mitigate various types of cyber threats.

These headers are sent by a web server along with the HTTP response and instruct the browser on how to handle the web page. By implementing security headers, website owners can enhance the overall security posture of their sites.

Top 10 Security Headers

Here are some common security headers:

NameDescription
Strict-Transport-Security (HSTS)Instructs the browser to only communicate with the website over HTTPS, even if the user enters HTTP in the address bar.
Content-Security-Policy (CSP)Specifies the rules for loading content on a web page, helping to prevent various types of attacks, such as Cross-Site Scripting (XSS) and data injection.
X-Content-Type-OptionsPrevents browsers from interpreting files as a different MIME type than declared in the Content-Type header, reducing the risk of certain types of attacks.
X-Frame-OptionsPrevents a web page from being embedded within an iframe, protecting against clickjacking attacks.
X-XSS-ProtectionEnables or disables the browser’s built-in Cross-Site Scripting (XSS) protection.
Referrer-PolicySpecifies how much information should be included in the Referer header when navigating from one page to another.
Feature-PolicyAllows or disallows the use of certain browser features on a webpage, helping to prevent misuse.
Expect-CTEnforces Certificate Transparency, providing an additional layer of security for HTTPS connections.
Public-Key-Pins (HPKP)Deprecated as of Chrome 72. Previously, it allowed a website to pin a specific public key to a set of hosts, helping to prevent man-in-the-middle attacks.
Content-Security-Policy-Report-OnlySimilar to CSP but only reports policy violations without enforcing restrictions. Useful for testing and monitoring without affecting the site’s functionality.

Implementing these security headers helps protect websites against common security threats, enhance privacy, and improve the overall integrity of web applications.

Updated on December 13, 2023
Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Email: support@noc.org