HeadersCSPHSTS5 min read
Configure HTTP security headers
Content-Security-Policy, X-Frame-Options, HSTS, Referrer-Policy and Nginx/Apache configuration.
Why security headers matter
HTTP security headers protect your users against attacks like XSS, clickjacking, content sniffing and more. They're configured on the web server and enforced by the browser.
Essential headers
Content-Security-Policy (CSP)
Controls what resources your page can load:
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;Start with a permissive policy and tighten based on browser console errors.
X-Frame-Options
Prevents clickjacking (your site embedded in a malicious iframe):
nginx
add_header X-Frame-Options "SAMEORIGIN" always;X-Content-Type-Options
Prevents MIME type sniffing:
nginx
add_header X-Content-Type-Options "nosniff" always;Referrer-Policy
Controls referrer information sent with requests:
nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Permissions-Policy
Controls which browser APIs your site can use:
nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;Strict-Transport-Security (HSTS)
Forces HTTPS on all future connections:
nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;Complete Nginx configuration
nginx
server {
listen 443 ssl http2;
server_name yourdomain.com;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
}Apache configuration
In .htaccess or virtualhost config:
apache
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"Enable the headers module:
bash
sudo a2enmod headers
sudo systemctl restart apache2Verify headers
bash
curl -I https://yourdomain.comOr use securityheaders.com for a complete analysis with grading.
Recommendations
- Start with basic headers and add CSP gradually
- Use CSP "report-only" mode to test without breaking anything
- Verify your config at securityheaders.com (aim for A+)
- Don't use
unsafe-evalin CSP unless strictly necessary - Enable HSTS only after confirming HTTPS works correctly
Was this guide helpful?