HTTP Security Headers Reference
HTTP security headers reference and checker — CSP, HSTS, X-Frame-Options, CORS, and more.
Content-Security-Policy
cspPrevents XSS attacks by controlling which resources the browser is allowed to load.
Recommended Value: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Security Risk Without: Cross-site scripting (XSS) attacks
Content-Security-Policy: default-src 'self'
Strict-Transport-Security
transportForces HTTPS connections and prevents SSL stripping attacks.
Recommended Value: max-age=31536000; includeSubDomains; preload
Security Risk Without: Man-in-the-middle attacks, SSL stripping
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options
clickjackingPrevents the page from being displayed in a frame/iframe to protect against clickjacking.
Recommended Value: DENY or SAMEORIGIN
Security Risk Without: Clickjacking attacks
X-Frame-Options: DENY
X-Content-Type-Options
cspPrevents MIME type sniffing which can lead to security vulnerabilities.
Recommended Value: nosniff
Security Risk Without: MIME confusion attacks
X-Content-Type-Options: nosniff
Referrer-Policy
cspControls how much referrer information is included in requests.
Recommended Value: strict-origin-when-cross-origin
Security Risk Without: Information leakage via Referer header
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
cspControls which browser features and APIs can be used in the browser.
Recommended Value: camera=(), microphone=(), geolocation=(self)
Security Risk Without: Unauthorized access to browser APIs
Permissions-Policy: camera=(), microphone=()
Access-Control-Allow-Origin
corsSpecifies which origins can access the resource.
Recommended Value: Specific origin or same-origin only — avoid wildcard (*) for authenticated resources
Security Risk Without: Cross-origin data access
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods
corsSpecifies the HTTP methods allowed for cross-origin requests.
Recommended Value: GET, POST, PUT, DELETE (only what is needed)
Security Risk Without: Unauthorized HTTP methods via CORS
Access-Control-Allow-Methods: GET, POST
Cache-Control
cacheControls how responses are cached by browsers and proxies.
Recommended Value: no-store, no-cache (for sensitive data); max-age=31536000 (for static assets)
Security Risk Without: Sensitive data cached and exposed
Cache-Control: no-store, no-cache, must-revalidate
Cross-Origin-Resource-Policy
corsPrevents other origins from reading the response of this resource.
Recommended Value: same-origin or same-site
Security Risk Without: Cross-origin information leakage
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy
corsAllows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
Recommended Value: same-origin
Security Risk Without: Cross-origin attacks via shared browsing context
Cross-Origin-Opener-Policy: same-origin
X-XSS-Protection
cspLegacy header — enables the browser's built-in XSS filter. Mostly superseded by CSP.
Recommended Value: 1; mode=block (legacy) or omit in favor of CSP
Security Risk Without: XSS attacks in older browsers without CSP
X-XSS-Protection: 1; mode=block
Header Checker
Paste your HTTP response headers to check
About this tool
HTTP security headers are specialized response headers that tell web browsers how to protect against common web vulnerabilities. Unlike general HTTP headers which control caching or content delivery, security headers create a defensive perimeter around your web application by preventing attacks like cross-site scripting (XSS), clickjacking, MIME-type exploitation, and cross-origin data theft.
This tool provides both a comprehensive reference for all major security headers and an interactive checker that analyzes your website's current security posture. Paste your HTTP response headers or enter a domain, and instantly see which security headers are present, which are missing, and how your configuration rates against industry best practices.
Web developers, DevOps engineers, and security teams use this reference to harden their deployments without coding changes. Most security headers are configured purely through server settings, reverse proxy rules, or application framework plugins—making them one of the fastest wins for improving your site's resilience against modern threats.
Frequently Asked Questions
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.