Host Autopsy

Free Tool

HTTP Security Headers: The Complete Checklist

Protect your website with the right HTTP security headers. HSTS, CSP, X-Frame-Options, and more — what they do and how to set them up.

Why Security Headers Matter

Security headers are instructions your server sends to the browser about how to handle your content. They prevent clickjacking, XSS attacks, data injection, and protocol downgrades — with zero impact on user experience.

The Essential Headers

Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS. Prevents SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age=31536000: Remember for 1 year
  • includeSubDomains: Apply to all subdomains
  • preload: Submit to browser preload lists for ultimate protection

Content-Security-Policy (CSP)

Controls which resources the browser can load. The most powerful header but also the most complex.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:

Start with Content-Security-Policy-Report-Only to test without breaking anything.

X-Content-Type-Options

Prevents MIME type sniffing. Always set this.

X-Content-Type-Options: nosniff

X-Frame-Options

Prevents your site from being embedded in iframes (clickjacking protection).

X-Frame-Options: DENY

Or SAMEORIGIN if you need to iframe your own content.

Referrer-Policy

Controls what information is sent in the Referer header when users navigate away.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls which browser features your site can use (camera, microphone, geolocation, etc.).

Permissions-Policy: camera=(), microphone=(), geolocation=()

Empty parentheses = feature disabled entirely.

How to Set Them

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;

Vercel (vercel.json)

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "DENY" }
      ]
    }
  ]
}

Cloudflare

Use Transform Rules to add headers to all responses without touching your origin server.

Test Your Headers

Run your site through our scanner above to check which security headers you're missing and get a security score.

Check your own website

Run a free scan to check SSL, DNS, speed, and security headers.

Scan Your Site Free →