Back to all terms
Securitybasic

Security Headers

HTTP response headers that instruct browsers to enable security mechanisms, reducing the attack surface of web applications.

Also known as: HTTP security headers, response security headers, browser security headers

Description

Security headers are HTTP response headers that configure browser-side security policies. They form a critical layer of defense by instructing browsers to enforce restrictions on how content is loaded, rendered, and interacted with. While they don't fix server-side vulnerabilities, they significantly reduce the exploitability of client-side issues and add defense-in-depth against common attack vectors.

The essential security headers include: Content-Security-Policy (controls resource loading), Strict-Transport-Security (enforces HTTPS), X-Content-Type-Options: nosniff (prevents MIME type sniffing), X-Frame-Options (prevents clickjacking), Referrer-Policy (controls referrer information leakage), Permissions-Policy (restricts browser feature access like camera, microphone, geolocation), and Cross-Origin-Opener-Policy / Cross-Origin-Embedder-Policy (provide process isolation). Each header addresses a specific category of browser-based attacks.

Implementing security headers should be done at the infrastructure level (reverse proxy, CDN, or middleware) to ensure consistent application across all routes and responses. Tools like securityheaders.com and the Mozilla Observatory provide automated scanning and grading of security header configurations. Headers should be tested in staging before production deployment, especially Content-Security-Policy, which can break functionality if misconfigured. Regular audits should verify headers haven't been accidentally removed during infrastructure changes.

Prompt Snippet

Configure the following security headers at the reverse proxy or middleware level for all responses: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload, Content-Security-Policy with strict directives, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=(), Cross-Origin-Opener-Policy: same-origin. In Express, use the helmet middleware with explicit configuration rather than defaults. Validate your header configuration against securityheaders.com targeting an A+ grade, and add a CI check using Mozilla's HTTP Observatory CLI.

Tags

security-headershttp-headersbrowser-securitydefense-in-depth

Related Terms

Security
intermediate

Content Security Policy (CSP)

An HTTP response header that allows fine-grained control over which resources a browser is allowed to load and execute for a page.

Security
basic

HTTPS Enforcement (HSTS)

Mechanisms that ensure all communication occurs over encrypted HTTPS connections, preventing protocol downgrade attacks.

Security
basic

Clickjacking Prevention (X-Frame-Options)

Techniques to prevent attackers from tricking users into clicking hidden or disguised elements by embedding your site in an iframe.

Origin A:3000Server:8080preflightAccess-Control-Allow
Security
intermediate

CORS Security Configuration

A browser mechanism that allows controlled access to resources from a different origin than the serving domain.