Find us on social media

Client area
HeadersCSPHSTS5 min read

Configure HTTP security headers

Content-Security-Policy, X-Frame-Options, HSTS, Referrer-Policy and Nginx/Apache configuration.

Why security headers matter

HTTP security headers protect your users against attacks like XSS, clickjacking, content sniffing and more. They're configured on the web server and enforced by the browser.

Essential headers

Content-Security-Policy (CSP)

Controls what resources your page can load:

nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;

Start with a permissive policy and tighten based on browser console errors.

X-Frame-Options

Prevents clickjacking (your site embedded in a malicious iframe):

nginx
add_header X-Frame-Options "SAMEORIGIN" always;

X-Content-Type-Options

Prevents MIME type sniffing:

nginx
add_header X-Content-Type-Options "nosniff" always;

Referrer-Policy

Controls referrer information sent with requests:

nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Permissions-Policy

Controls which browser APIs your site can use:

nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

Strict-Transport-Security (HSTS)

Forces HTTPS on all future connections:

nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Complete Nginx configuration

nginx
server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
}

Apache configuration

In .htaccess or virtualhost config:

apache
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Enable the headers module:

bash
sudo a2enmod headers
sudo systemctl restart apache2

Verify headers

bash
curl -I https://yourdomain.com

Or use securityheaders.com for a complete analysis with grading.

Recommendations

  • Start with basic headers and add CSP gradually
  • Use CSP "report-only" mode to test without breaking anything
  • Verify your config at securityheaders.com (aim for A+)
  • Don't use unsafe-eval in CSP unless strictly necessary
  • Enable HSTS only after confirming HTTPS works correctly
Was this guide helpful?
← Back to Security