Question 1

What are HTTP security headers?

Accepted Answer

HTTP security headers are response headers that your web server sends to the browser to instruct it how to behave when handling your website. Headers like Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), and X-Frame-Options tell the browser to enforce HTTPS, restrict resource loading, and prevent clickjacking — protecting your users from a wide range of attacks.

Question 2

What is HSTS and why is it important?

Accepted Answer

HSTS (HTTP Strict Transport Security) is a security header that tells browsers to only communicate with your website over HTTPS, never HTTP. Once a browser sees the HSTS header, it will automatically redirect all future HTTP requests to HTTPS, even before sending them to the server. This prevents man-in-the-middle attacks and protocol downgrade attacks. A site without HSTS can be attacked by stripping HTTPS at the network level.

Question 3

How do I add a Content Security Policy?

Accepted Answer

A Content Security Policy (CSP) is added as an HTTP response header: Content-Security-Policy: default-src 'self'. You configure it in your web server (Nginx: add_header Content-Security-Policy ...; Apache: Header always set Content-Security-Policy ...) or via your CDN or hosting provider. Start with a report-only mode (Content-Security-Policy-Report-Only) to identify violations before enforcing. A strict CSP is one of the most effective defences against XSS attacks.

Question 4

What does X-Frame-Options do?

Accepted Answer

X-Frame-Options controls whether your website can be embedded in an iframe on another site. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks, where an attacker overlays your site inside a hidden iframe to trick users into clicking buttons or entering data. Modern browsers also support the frame-ancestors directive in CSP, which does the same job with more flexibility. Both should be set.

Question 5

How do I get an A+ security headers grade?

Accepted Answer

To achieve an A+ grade, your site needs to return all eight security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), and Cross-Origin-Embedder-Policy (COEP). The most impactful are HSTS and CSP. Add headers in your web server config, CDN settings (Cloudflare, Fastly), or via middleware in your application framework.

Security Headers Checker

What does this tool check?

HSTS & CSP

Clickjacking Protection

Content Type Sniffing

Security Grade

Frequently Asked Questions

What are HTTP security headers?

What is HSTS and why is it important?

How do I add a Content Security Policy?

What does X-Frame-Options do?

How do I get an A+ security headers grade?

Monitor your security headers 24/7