Security Headers Guides
Updated April 2026
Add, fix, and understand HTTP security headers — HSTS, CSP, X-Frame-Options, Permissions-Policy, COOP, COEP, Clear-Site-Data, and more.
26 articles- → HTTP Security Headers Checklist
- → Fix Missing X-Frame-Options
- → HSTS Not Working — Fix It
- → Nginx HSTS max-age Best Practices
- → COOP and COEP for SharedArrayBuffer
- → Permissions-Policy Guide
- → Clear-Site-Data — Secure Logout
- → Secure + HttpOnly Cookies
- → SameSite Cookies in Iframes
- → CHIPS — Partitioned Cookies 2026
- → 301 vs 308 Redirect Guide
- → Cloudflare Page Rules vs Transform Rules
- → Security Headers for SaaS Apps
- → Security Headers for GitHub Pages
- → WebSockets Security Headers
- → Server-Timing Headers
- → Timing-Allow-Origin
- → Alt-Svc and HTTP/3
- → Vary Header — Fix Caching Bugs
- → Webhook Signature Security
- → Expect-CT Deprecated
- → upgrade-insecure-requests
- → 82% of Sites Expose Server Version
- → Only 27% of Sites Have CSP
- → Most Commonly Missing Security Header
- → Headless CMS Security Headers