What Are HTTP Security Headers?

Q: What are HTTP security headers?

HTTP security headers are response headers a server sends with a page to tell the browser how to behave more safely. They help reduce the impact of attacks like cross-site scripting, clickjacking, and content sniffing. They are recommended by the OWASP Secure Headers Project and are usually simple to add server-side.

Q: What happens if a security header is missing?

A missing header removes a layer of protection rather than instantly breaking the website. For example, missing HSTS allows insecure HTTP connections, and a missing CSP makes cross-site scripting easier to exploit. Because these headers are defense-in-depth, the goal is to layer several of them together.

Q: What is the difference between X-Frame-Options and CSP frame-ancestors?

Both control whether your page can be embedded in a frame on another website to prevent clickjacking. X-Frame-Options is the older header, while the frame-ancestors directive in Content-Security-Policy is the modern and more flexible equivalent. Many websites set both for broad browser coverage.

Q: What does X-Content-Type-Options nosniff do?

Setting X-Content-Type-Options to nosniff tells the browser not to guess the content type of a response. This prevents a file from being interpreted as a different type, such as a text file being run as a script. It is a small but useful protection against certain content-sniffing attacks.

Q: How is a security headers grade calculated?

A header grader inspects the response headers of a URL and assigns a letter grade based on which recommended headers are present and how strictly they are set. A higher grade means stronger configuration, while a lower grade flags missing or weak headers. Treat the grade as a prioritized checklist rather than a strict pass or fail.

~/sheets/what-are-http-security-headers.md

What HTTP security headers are
HTTP security headers are extra response headers a web server sends alongside a page that tell the browser how to behave more safely. They are a simple, server-side way to reduce the impact of common attacks like cross-site scripting, clickjacking, and content sniffing. They are recommended by the OWASP Secure Headers Project and documented on MDN, and most of them are a single line of configuration to add.
The key headers
Content-Security-Policy (CSP)
CSP controls which sources of scripts, styles, images, and other resources the browser is allowed to load and execute. It is the primary defense-in-depth header against cross-site scripting (XSS). Because CSP is the most powerful and the most asked-about header, it has its own deep dive: Content Security Policy (CSP) Explained.
Strict-Transport-Security (HSTS)
HSTS, defined in RFC 6797, tells the browser to only ever connect to the site over HTTPS for a set period of time. This protects against downgrade attacks and accidental plain-HTTP connections. Without it, an early request can be made over insecure HTTP before any redirect to HTTPS. It works hand in hand with SSL/TLS.
X-Frame-Options
This header controls whether your page can be embedded inside a frame or iframe on another website. It is the classic defense against clickjacking, where an attacker overlays your page invisibly to trick users into clicking. The modern equivalent is the frame-ancestors directive in CSP.
X-Content-Type-Options
Set to nosniff, this header stops the browser from guessing (sniffing) the content type of a response. Without it, a file the server intended as plain text could be interpreted as an executable script, which can be abused in some attacks.
Referrer-Policy
This header controls how much of the originating URL is sent in the Referer header when a user navigates away. A stricter policy prevents leaking sensitive path or query information to third-party websites.
Permissions-Policy
This header lets a website declare which browser features and APIs, such as camera, microphone, or geolocation, are allowed to be used by the page and any embedded content. It reduces the surface area available to malicious or compromised scripts.
What a missing header exposes
Each absent header removes a layer of protection rather than instantly breaking the site. Missing HSTS leaves room for downgrade and plain-HTTP connections. A missing or weak CSP leaves XSS payloads freer to run. No X-Frame-Options or frame-ancestors invites clickjacking. No X-Content-Type-Options allows MIME sniffing. These are defense-in-depth measures, so the goal is to layer several of them rather than rely on any one.
How to read a security headers grade
Header graders inspect the response headers of a URL and assign a letter grade based on which recommended headers are present and how strictly they are configured. A high grade means strong, well-configured headers; a low grade flags missing or weak ones. Use the grade as a prioritized checklist, not a pass/fail verdict, and start with the headers that protect against the highest-impact attacks. You can run any URL through our free security headers checker to see which headers are present and what to add next.
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response headers a server sends with a page to tell the browser how to behave more safely. They help reduce the impact of attacks like cross-site scripting, clickjacking, and content sniffing. They are recommended by the OWASP Secure Headers Project and are usually simple to add server-side.
What happens if a security header is missing?
A missing header removes a layer of protection rather than instantly breaking the website. For example, missing HSTS allows insecure HTTP connections, and a missing CSP makes cross-site scripting easier to exploit. Because these headers are defense-in-depth, the goal is to layer several of them together.
What is the difference between X-Frame-Options and CSP frame-ancestors?
Both control whether your page can be embedded in a frame on another website to prevent clickjacking. X-Frame-Options is the older header, while the frame-ancestors directive in Content-Security-Policy is the modern and more flexible equivalent. Many websites set both for broad browser coverage.
What does X-Content-Type-Options nosniff do?
Setting X-Content-Type-Options to nosniff tells the browser not to guess the content type of a response. This prevents a file from being interpreted as a different type, such as a text file being run as a script. It is a small but useful protection against certain content-sniffing attacks.
How is a security headers grade calculated?
A header grader inspects the response headers of a URL and assigns a letter grade based on which recommended headers are present and how strictly they are set. A higher grade means stronger configuration, while a lower grade flags missing or weak headers. Treat the grade as a prioritized checklist rather than a strict pass or fail.
Last updated: April 2026