← Back to Guides
Complete Guide to Security Headers
Learn how to implement and configure all essential security headers. Includes HSTS, CSP, X-Frame-Options examples for Nginx and Apache.
ConfigurationComplete Guide to Security Headers
Security headers are HTTP response headers that help protect your website from various attacks.
Essential Security Headers
1. Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS connections.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload2. Content-Security-Policy (CSP)
Prevents XSS attacks by controlling resource loading.
Content-Security-Policy: default-src 'self'; script-src 'self'3. X-Frame-Options
Prevents clickjacking attacks.
X-Frame-Options: DENY4. X-Content-Type-Options
Prevents MIME type sniffing.
X-Content-Type-Options: nosniff5. Referrer-Policy
Controls referrer information sharing.
Referrer-Policy: strict-origin-when-cross-originImplementation
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"Testing
Use security header analyzers to verify your configuration: