A single missing HTTP header can weaken your entire security posture. Attackers often exploit small oversights — like a forgotten policy or weak HTTPS setup — to launch clickjacking or XSS attacks.
In 2025, browsers have evolved, but the foundation of web security remains unchanged: properly configured HTTP headers. Implementing them is one of the simplest ways to strengthen your website against common exploits.
Here are the five most important headers you should enable this year.
1️⃣ Content-Security-Policy (CSP)
Purpose: Prevents cross-site scripting (XSS) and content injection.
The Content-Security-Policy header defines which content sources are allowed to load. It helps stop malicious inline scripts, iframes, and untrusted JavaScript.
Example:
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none';
Tip:
Start with Content-Security-Policy-Report-Only mode to collect reports before enforcement. Tools like CSP Evaluator help fine-tune your policy.
2️⃣ X-Frame-Options / Frame-Ancestors
Purpose: Protects against clickjacking attacks.
This header tells browsers whether your pages can be displayed inside an iframe. Without it, attackers can embed hidden frames to hijack clicks.
Examples:
X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self';
Use both for full browser coverage. Modern browsers rely mainly on the frame-ancestors directive in CSP.
3️⃣ Strict-Transport-Security (HSTS)
Purpose: Forces HTTPS connections and prevents downgrade attacks.
The browser remembers that your domain must always use HTTPS after seeing this header.
Example:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
max-age: how long (in seconds) the policy stays active.
includeSubDomains: applies it everywhere.
preload: lets you submit your site to hstspreload.org.
Enable HSTS only after your HTTPS setup is fully stable.
4️⃣ Referrer-Policy
Purpose: Controls how much referrer data is shared when users leave your site.
Without it, sensitive paths may leak to external domains.
Recommended setting:
Referrer-Policy: strict-origin-when-cross-origin
This strikes a good balance between privacy and analytics visibility.
5️⃣ Permissions-Policy
Purpose: Restricts use of browser features like camera, microphone, or geolocation.
Formerly called Feature-Policy, this header prevents unnecessary feature access.
Example:
Permissions-Policy: geolocation=(), microphone=(), camera=()
Each empty () means “deny all.” You can whitelist trusted origins if required.
How to Add These Headers
Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none';"; add_header X-Frame-Options "SAMEORIGIN"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";
Apache
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; object-src 'none';" Header always set X-Frame-Options "SAMEORIGIN" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Express.js (Node.js)
const helmet = require('helmet'); app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "https://cdn.example.com"], objectSrc: ["'none'"] } }, frameguard: { action: 'sameorigin' }, hsts: { maxAge: 63072000, includeSubDomains: true, preload: true }, referrerPolicy: { policy: 'strict-origin-when-cross-origin' } })); app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()'); next(); });
Test Your Headers
Run this command:
curl -I https://yourdomain.com
You should see all five headers in the HTTP response.
For deeper scans, use free tools like SecurityHeaders.com, Mozilla Observatory, or SSLLabs — they score your configuration and show what’s missing.