Security Headers Guide
Complete reference for implementing essential HTTP security headers to protect your web application.
Strict-Transport-Security
Forces browsers to use HTTPS connections, preventing protocol downgrade attacks. Learn HSTS implementation, max-age, and preload.
Content-Security-Policy
Prevents XSS attacks by controlling which resources can be loaded and executed. CSP whitelist setup and implementation examples.
X-Frame-Options
Prevents clickjacking attacks by controlling whether your site can be embedded in frames. DENY, SAMEORIGIN options explained.
X-Content-Type-Options
Prevents MIME type sniffing attacks by forcing browsers to respect declared content types. Set nosniff for better security.
Referrer-Policy
Controls how much referrer information is sent with requests. Protects privacy with strict-origin-when-cross-origin and other options.
Permissions-Policy
Controls which browser features and APIs can be used in your site. Restrict geolocation, camera, microphone, and other APIs.
Cross-Origin-Opener-Policy
Isolates your browsing context from cross-origin documents. COOP prevents cross-origin attacks and enables secure features.
Cross-Origin-Resource-Policy
Prevents other sites from loading your resources. CORP protects against Spectre and controls resource sharing with same-origin policy.
Cross-Origin-Embedder-Policy
Requires resources to explicitly opt-in to being embedded. COEP enables SharedArrayBuffer and isolates your site for security.