HTTP Security Headers Explained — CSP, HSTS, X-Frame-Options Guide | Vaarta

What Are HTTP Security Headers?

HTTP security headers are directives sent by the server that tell browsers how to behave when handling your website's content. They protect against XSS, clickjacking, MIME-sniffing, and other attacks.

Essential Security Headers

1. Content-Security-Policy (CSP)

**What it does**: Controls which resources (scripts, styles, images) can be loaded

**Example**: `Content-Security-Policy: default-src 'self'; script-src 'self'`

**Impact**: Prevents XSS and code injection attacks

2. Strict-Transport-Security (HSTS)

**What it does**: Forces browsers to use HTTPS for all connections

**Example**: `Strict-Transport-Security: max-age=63072000; includeSubDomains`

**Impact**: Prevents SSL stripping and protocol downgrade attacks

3. X-Frame-Options

**What it does**: Controls whether your page can be embedded in frames

**Example**: `X-Frame-Options: DENY`

**Impact**: Prevents clickjacking attacks

4. X-Content-Type-Options

**What it does**: Prevents browsers from MIME-sniffing responses

**Example**: `X-Content-Type-Options: nosniff`

**Impact**: Blocks script execution disguised as images

5. Referrer-Policy

**What it does**: Controls how much referrer information is sent

**Example**: `Referrer-Policy: strict-origin-when-cross-origin`

**Impact**: Protects user privacy and prevents data leakage

6. Permissions-Policy

**What it does**: Controls browser features (camera, microphone, geolocation)

**Example**: `Permissions-Policy: camera=(), microphone=()`

**Impact**: Prevents unauthorized access to device features

How to Check Your Headers

Use Vaarta.space to scan your domain and get an instant grade on your security headers configuration.

Conclusion

Properly configured security headers are a critical layer of defense. They're free to implement and provide significant protection against common web attacks.