Headers

Security headers are a low-cost way to harden your site at the edge.

Start with a safe baseline

Use these headers for all routes (example for Netlify):

[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "SAMEORIGIN"
    Referrer-Policy = "strict-origin"
    Permissions-Policy = "geolocation=(self), microphone=(), camera=()"

Add CSP separately and keep it strict

Treat CSP as its own policy and iterate carefully as scripts and integrations evolve.

Start with default-src 'self'
Add only required origins
Prefer nonces/hashes over unsafe-inline

Be intentional with cache headers

Apply long-lived caching to fingerprinted static assets, and shorter/revalidated caching to HTML.

Validate after deployment

In browser dev tools and scanners, confirm:

Headers are present on HTML and static assets
HTTPS and HSTS are active
No unexpected framing or MIME issues
No CSP violations on critical pages

Learn more

Strict-Transport-Security header

Force HTTPS and prevent protocol downgrade attacks.

X-Content-Type-Options header

Disable MIME sniffing to reduce content-type confusion risks.

X-Frame-Options header

Control framing behavior to mitigate clickjacking.

Referrer-Policy header

Limit referrer data sent to external origins.

Permissions-Policy header

Restrict browser features like camera, mic, and geolocation.

Last updated on May 28, 2026

Edit this page on GitHub

Prev

Content Security Policy

Next

Email Obfuscation