Which security header is most important?

Strict-Transport-Security if your site is HTTPS-only. Content-Security-Policy for XSS protection. X-Frame-Options for clickjacking. All three are essential for production sites.

Will adding security headers break my site?

X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are safe to add immediately. HSTS and CSP require testing — start with report-only mode for CSP.

Do I need COOP and COEP?

Only if you use SharedArrayBuffer, high-resolution timers, or want Spectre mitigations. For most sites, HSTS, CSP, X-Frame-Options, and X-Content-Type-Options are the priority.

Headers

HTTP Security Headers Checklist — What Every Site Needs

Most web servers ship with no security headers by default. These nine headers take 30 minutes to add and protect against clickjacking, XSS, MIME sniffing, and forced downgrade attacks.

1. Strict-Transport-Security (HSTS)

Tells browsers to only connect via HTTPS for the specified duration. Prevents SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Only add this if HTTPS is fully working. If you add HSTS and HTTPS breaks, users cannot access your site for the duration of max-age.

2. Content-Security-Policy (CSP)

Defines which resources are allowed to load. The most powerful XSS mitigation available.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'; object-src 'none';

3. X-Frame-Options

Prevents your page from being embedded in iframes on other sites. Blocks clickjacking attacks.

X-Frame-Options: SAMEORIGIN

4. X-Content-Type-Options

Prevents browsers from guessing the content type of a response. One line, no configuration needed.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much URL information is sent to third-party sites when users click links from your page.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Restricts which browser features your page (and embedded iframes) can use.

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

7. Cross-Origin-Opener-Policy (COOP)

Isolates your page from cross-origin popups. Required for SharedArrayBuffer and Spectre mitigations.

Cross-Origin-Opener-Policy: same-origin

8. Cross-Origin-Embedder-Policy (COEP)

Required alongside COOP for cross-origin isolation. Needed for SharedArrayBuffer and high-resolution timers.

Cross-Origin-Embedder-Policy: require-corp

9. Remove Server header

The Server header reveals your web server software and version. Remove it or set it to something generic.

# Nginx
server_tokens off;

# Apache
ServerTokens Prod
ServerSignature Off

Quick config for Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
server_tokens off;

Use HeadersFixer to scan your live site and see which of these are missing or misconfigured — it generates the exact config for your specific stack.

Scan your security headers live → HeadersFixer