Skip to main content
SGSiteGraph
Security·10 min read·

HTTP Security Headers Explained: A Practical Guide for Website Owners

A comprehensive guide to HTTP security headers including HSTS, CSP, X-Frame-Options, and more.

ST

SiteGraph Team

Security Research at AnantaHQ

HTTP security headers are a critical line of defense for any modern website. These headers, sent by the server in HTTP responses, instruct browsers how to behave when handling your website's content — protecting both your site and your visitors from various attacks.

What Are HTTP Security Headers?

HTTP security headers are response headers that enable browser security features. When a browser receives these headers, it adjusts its behavior according to the directives specified. This can prevent attacks like cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks.

Essential Security Headers

Strict-Transport-Security (HSTS)

HSTS tells browsers to always connect to your website using HTTPS, even if the user types http:// or clicks an HTTP link. This prevents man-in-the-middle attacks that downgrade secure connections to insecure ones.

Example: Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

CSP is one of the most powerful security headers. It controls which sources the browser is allowed to load for different types of resources — scripts, styles, images, fonts, and more. A properly configured CSP can prevent XSS attacks even if an attacker injects malicious code.

Example: Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com

X-Frame-Options

This header prevents your website from being embedded in an iframe on another domain — protecting against clickjacking attacks where an attacker tricks users into clicking something they didn't intend to.

Example: X-Frame-Options: DENY

X-Content-Type-Options

This header stops browsers from MIME-sniffing — guessing the content type of a response instead of trusting the declared Content-Type. This prevents certain types of drive-by download attacks.

Example: X-Content-Type-Options: nosniff

Referrer-Policy

The Referrer-Policy header controls how much referrer information is sent when a user navigates from your site to another. This has both security and privacy implications.

Example: Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Permissions-Policy (formerly Feature-Policy) allows you to control which browser features and APIs — camera, microphone, geolocation, etc. — your website and its embedded content can use.

Example: Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Check Your Security Headers

You can use SiteGraph to instantly check the security headers of any website. Simply enter the domain in the search box, and we'll show you which headers are present and which are missing.

A good security header configuration includes at minimum: HSTS, X-Frame-Options, X-Content-Type-Options, and a basic CSP. The strongest configurations include all six major headers with carefully tuned policies.

ST

SiteGraph Team

Security Research at AnantaHQ

Frequently asked questions

Do I need all security headers?

While not every header is mandatory, implementing HSTS, X-Frame-Options, X-Content-Type-Options, and a Content-Security-Policy is considered a baseline for good security. The other headers provide additional protection.

Can security headers break my website?

Yes, especially CSP and Permissions-Policy. Always test headers in a staging environment first. CSP in particular can block legitimate resources if not configured correctly. Start with a report-only mode (Content-Security-Policy-Report-Only) to identify issues before enforcing.

How does SiteGraph check security headers?

SiteGraph makes an HTTP request to the target website and examines the response headers. We check for the presence and basic configuration of each major security header.

Related Articles