Security Headers Deep Dive Cheat Sheet
Details essential HTTP security response headers including CSP, HSTS, and X-Frame-Options with correct syntax and configuration examples.
2 PagesIntermediateFeb 12, 2026
Essential Security Headers
The most impactful HTTP response headers for hardening a web application.
- Content-Security-Policy- Restricts which sources scripts, styles, and other resources can load from, mitigating XSS
- Strict-Transport-Security- Forces browsers to only connect via HTTPS for a specified duration (HSTS)
- X-Content-Type-Options- Set to 'nosniff' to prevent MIME-type sniffing attacks
- X-Frame-Options- Prevents clickjacking by controlling whether the page can be framed
- Referrer-Policy- Controls how much referrer information is sent with outgoing requests
- Permissions-Policy- Restricts which browser features/APIs (camera, geolocation) the page can use
- Cross-Origin-Opener-Policy- Isolates the browsing context to mitigate cross-origin attacks like Spectre
Content-Security-Policy Example
A restrictive CSP allowing scripts/styles only from trusted sources.
bash
Content-Security-Policy: \ default-src 'self'; \ script-src 'self' https://cdn.example.com; \ style-src 'self' 'unsafe-inline'; \ img-src 'self' data: https:; \ connect-src 'self' https://api.example.com; \ frame-ancestors 'none'; \ base-uri 'self'; \ object-src 'none'; \ report-uri /csp-violation-report
Setting Headers in Express (helmet)
Apply a secure baseline of headers in a Node.js Express app.
javascript
const express = require('express');const helmet = require('helmet');const app = express();app.use(helmet()); // sets sane defaults for most headers belowapp.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", 'https://cdn.example.com'], objectSrc: ["'none'"], },}));app.use(helmet.hsts({ maxAge: 31536000, // 1 year, in seconds includeSubDomains: true, preload: true,}));
Setting Headers in Nginx
Adding security headers at the reverse proxy layer.
bash
add_header X-Content-Type-Options "nosniff" always;add_header X-Frame-Options "DENY" always;add_header Referrer-Policy "strict-origin-when-cross-origin" always;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" always;
Verifying Headers
Tools and commands to check which headers a site actually sends.
- curl -I- Quick manual check of response headers from the command line
- securityheaders.com- Free online scanner that grades a site's header configuration
- Mozilla Observatory- Detailed analysis and remediation guidance for HTTP security posture
- CSP Evaluator- Google tool for identifying weaknesses in a Content-Security-Policy
Pro Tip
Roll out a new CSP in Content-Security-Policy-Report-Only mode first, pointed at a report-uri collector, so you can see what legitimate resources would be blocked before enforcing it and breaking production.
Was this cheat sheet helpful?
Explore Topics
#SecurityHeadersDeepDive#SecurityHeadersDeepDiveCheatSheet#Cybersecurity#Intermediate#EssentialSecurityHeaders#Content#Security#Policy#Networking#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance