What are security headers?

Security

The short answer

Security headers are HTTP response headers that tell the browser how to behave when handling your site's content. They protect against common attacks like XSS, clickjacking, MIME sniffing, and data theft. Setting the right headers is one of the easiest ways to improve your site's security.

The most important headers

Content-Security-Policy (CSP)

Controls which resources the browser is allowed to load. This is the most powerful security header.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src *

This policy says:

  • Only load resources from the same origin by default
  • Only run scripts from the same origin (blocks inline scripts and external scripts)
  • Allow styles from the same origin and inline styles
  • Allow images from anywhere

CSP is the best defense against XSS because even if an attacker injects a script tag, the browser will not execute it if it violates the policy.

X-Frame-Options

Prevents your site from being loaded in an iframe (protects against clickjacking):

X-Frame-Options: DENY

Strict-Transport-Security (HSTS)

Forces the browser to always use HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Once the browser sees this header, it will automatically upgrade all HTTP requests to HTTPS for the specified duration (1 year in this example). This prevents man-in-the-middle attacks.

X-Content-Type-Options

Prevents the browser from guessing the MIME type of a file:

X-Content-Type-Options: nosniff

Without this, a browser might treat a text file as JavaScript and execute it. This header tells the browser to trust the Content-Type header and not guess.

Referrer-Policy

Controls how much referrer information is sent when navigating from your site:

Referrer-Policy: strict-origin-when-cross-origin

This sends the full URL for same-origin requests but only the origin (no path) for cross-origin requests. This prevents leaking sensitive URL paths to third-party sites.

Permissions-Policy

Controls which browser features your site can use:

Permissions-Policy: camera=(), microphone=(), geolocation=()

This disables camera, microphone, and geolocation for your site and any embedded iframes. Useful for preventing third-party scripts from accessing sensitive APIs.

A good starting set

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Interview Tip

You do not need to memorize the exact syntax. Focus on knowing which headers exist, what attacks they prevent, and why they matter. The most important ones to know are CSP (prevents XSS), X-Frame-Options (prevents clickjacking), and HSTS (forces HTTPS). If you can explain these three, you are in good shape.

Why interviewers ask this

Security headers are a practical topic that shows you think about security beyond just writing code. Interviewers ask about them to see if you know how to protect a web application at the HTTP level. It is also a good indicator of whether you have worked with production deployments where these headers are configured.

Table of Contents