What Are HTTP Security Headers? A Complete 2026 Guide

Every time a browser loads your website, your server gets to send a set of instructions along with the page. Most of those instructions are invisible to visitors but they decide how safe your site really is. These instructions are called HTTP security headers, and getting them right is the single cheapest, fastest improvement you can make to your security posture.

There is no new software to install and no code to rewrite. In most cases you add a few lines to your web server or CDN configuration, redeploy, and your entire site is measurably harder to attack. This guide walks through what each header does, the order to add them in, and the mistakes that quietly break sites.

Why headers matter more than people think

A modern web page pulls in scripts, fonts, images and styles from many places. Security headers let you tell the browser exactly what is allowed and what is not. Without them, the browser falls back to permissive defaults that assume the best about every request, which is precisely how cross-site scripting, clickjacking and protocol-downgrade attacks succeed.

The headers that matter, in priority order

You do not need to set all of them on day one. Start at the top of this list and work down — the first three deliver the majority of the protection.

• Strict-Transport-Security (HSTS) — forces every connection over HTTPS, even if a user types http://. This blocks downgrade attacks and cookie theft on untrusted networks.
• Content-Security-Policy (CSP) — the most powerful header. It controls which scripts, styles and resources the browser may load, which neutralises most cross-site scripting (XSS) attacks.
• X-Frame-Options / frame-ancestors — stops other sites from embedding yours in an invisible frame, which is how clickjacking works.
• X-Content-Type-Options: nosniff — stops the browser from guessing a file's type and accidentally running an image or text file as a script.
• Referrer-Policy — controls how much of your URL is leaked to other sites when a user clicks a link.
• Permissions-Policy — disables powerful browser features you do not use, such as the camera, microphone or geolocation.

A sensible starting configuration

Here is a baseline set of headers that works for the majority of sites. Treat the Content-Security-Policy as a starting point — it almost always needs tailoring to the third-party scripts your site actually uses.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; img-src 'self' data:; object-src 'none'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

The mistakes that break real sites

Two headers have teeth and need care. A Content-Security-Policy that is too strict will block your own scripts and your page will appear broken — always test with the Content-Security-Policy-Report-Only header first so you can see what would break without actually breaking it. HSTS is even less forgiving: once a browser has seen it, it will refuse plain HTTP for the entire max-age window, so never enable preload until you are certain every subdomain serves valid HTTPS.

How to check your grade

You cannot improve what you cannot see. A scan reads the live response headers from your site, grades each one, and tells you which are missing or misconfigured. PatchPings checks seven header categories in seconds and — because the headers are only useful if you actually deploy them — hands you the exact configuration snippet for your server, whether that is Nginx, Apache or Cloudflare.

Headers are the rare security task with a huge payoff and almost no downside. Set the top three this week, verify them with a security scan, and you will have closed the door on the most common attacks the web throws at small and growing sites. Download PatchPings to grade headers from your phone.