← Back to Guides
Complete Guide to Security Headers
Learn how to implement and configure all essential security headers.
ConfigurationComplete Guide to Security Headers
Security headers are HTTP response headers that help protect your website from various attacks.
Essential Security Headers
1. Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS connections.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload2. Content-Security-Policy (CSP)
Prevents XSS attacks by controlling resource loading.
Content-Security-Policy: default-src 'self'; script-src 'self'3. X-Frame-Options
Prevents clickjacking attacks.
X-Frame-Options: DENY4. X-Content-Type-Options
Prevents MIME type sniffing.
X-Content-Type-Options: nosniff5. Referrer-Policy
Controls referrer information sharing.
Referrer-Policy: strict-origin-when-cross-originImplementation
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"Testing
Use security header analyzers to verify your configuration: