Which security headers are safe to add immediately?

X-Content-Type-Options nosniff, Referrer-Policy, and Permissions-Policy are safe to add to any HTTPS site immediately. HSTS requires HTTPS to be fully working. CSP requires testing in report-only mode first.

What is the Vary header used for?

Vary tells CDNs to cache separate copies based on request headers. Vary: Accept-Encoding is required when serving compressed content so CDNs cache separate compressed and uncompressed versions.

Should I remove the Server header?

Yes if possible. Server: nginx/1.24.0 reveals your server software and version to attackers. Use server_tokens off in Nginx to send just Server: nginx.

HTTP Headers Cheatsheet 2026

Updated April 2026

Quick Answer The most important HTTP security headers: Strict-Transport-Security (force HTTPS), Content-Security-Policy (prevent XSS), X-Frame-Options: SAMEORIGIN (prevent clickjacking), X-Content-Type-Options: nosniff (prevent MIME sniffing), Referrer-Policy (control referrer). Cache headers: Cache-Control, ETag, Vary.

The most important HTTP response headers in one place — security headers, cache headers, and CORS headers with exact values and stack-specific config.

Security headers — add to every site

Header	Value	What it does
Strict-Transport-Security	max-age=31536000; includeSubDomains	Forces HTTPS for 1 year. Prevents downgrade attacks.
Content-Security-Policy	default-src 'self';	Controls which resources can load. Prevents XSS.
X-Frame-Options	SAMEORIGIN	Prevents clickjacking via iframes.
X-Content-Type-Options	nosniff	Prevents MIME type sniffing.
Referrer-Policy	strict-origin-when-cross-origin	Controls what URL is sent as referrer.
Permissions-Policy	camera=(), microphone=(), geolocation=()	Disables unused browser APIs.
Cross-Origin-Opener-Policy	same-origin	Isolates browsing context. Enables SharedArrayBuffer.

Cache headers

Use case	Header value
Static assets (hashed filenames)	Cache-Control: public, max-age=31536000, immutable
HTML pages	Cache-Control: no-cache
Authenticated API	Cache-Control: no-store
Public API with SWR	Cache-Control: public, max-age=60, stale-while-revalidate=300
User-specific (browser cache ok, CDN not)	Cache-Control: private, max-age=300

CORS headers

Header	Example value	Required for
Access-Control-Allow-Origin	https://app.example.com	All cross-origin responses
Access-Control-Allow-Methods	GET, POST, PUT, DELETE, OPTIONS	Preflight responses
Access-Control-Allow-Headers	Content-Type, Authorization	Preflight responses
Access-Control-Allow-Credentials	true	Cookie/auth cross-origin requests
Access-Control-Max-Age	86400	Cache preflight for 24h
Vary	Origin	Dynamic CORS — prevents CDN serving wrong cached response

Other useful headers

Header	Example	Purpose
ETag	W/"abc123"	Cache validation — allows 304 Not Modified responses
Last-Modified	Sat, 04 Apr 2026 00:00:00 GMT	Cache validation fallback
Content-Encoding	br	Indicates Brotli/gzip compression
Vary	Accept-Encoding	CDN caches separate copies per encoding
X-Content-Type-Options	nosniff	MIME sniffing protection
Server	(remove or minimize)	Hides server software version

Nginx — all security headers in one block

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
server_tokens off;

Scan your live headers → HeadersFixer Generate all headers → Security Headers Generator