100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Security Headers Deep Dive Cheat Sheet

Security Headers Deep Dive Cheat Sheet

Details essential HTTP security response headers including CSP, HSTS, and X-Frame-Options with correct syntax and configuration examples.

2 PagesIntermediateFeb 12, 2026

Essential Security Headers

The most impactful HTTP response headers for hardening a web application.

  • Content-Security-Policy- Restricts which sources scripts, styles, and other resources can load from, mitigating XSS
  • Strict-Transport-Security- Forces browsers to only connect via HTTPS for a specified duration (HSTS)
  • X-Content-Type-Options- Set to 'nosniff' to prevent MIME-type sniffing attacks
  • X-Frame-Options- Prevents clickjacking by controlling whether the page can be framed
  • Referrer-Policy- Controls how much referrer information is sent with outgoing requests
  • Permissions-Policy- Restricts which browser features/APIs (camera, geolocation) the page can use
  • Cross-Origin-Opener-Policy- Isolates the browsing context to mitigate cross-origin attacks like Spectre

Content-Security-Policy Example

A restrictive CSP allowing scripts/styles only from trusted sources.

bash
Content-Security-Policy: \  default-src 'self'; \  script-src 'self' https://cdn.example.com; \  style-src 'self' 'unsafe-inline'; \  img-src 'self' data: https:; \  connect-src 'self' https://api.example.com; \  frame-ancestors 'none'; \  base-uri 'self'; \  object-src 'none'; \  report-uri /csp-violation-report

Setting Headers in Express (helmet)

Apply a secure baseline of headers in a Node.js Express app.

javascript
const express = require('express');const helmet = require('helmet');const app = express();app.use(helmet());  // sets sane defaults for most headers belowapp.use(helmet.contentSecurityPolicy({  directives: {    defaultSrc: ["'self'"],    scriptSrc: ["'self'", 'https://cdn.example.com'],    objectSrc: ["'none'"],  },}));app.use(helmet.hsts({  maxAge: 31536000,      // 1 year, in seconds  includeSubDomains: true,  preload: true,}));

Setting Headers in Nginx

Adding security headers at the reverse proxy layer.

bash
add_header X-Content-Type-Options "nosniff" always;add_header X-Frame-Options "DENY" always;add_header Referrer-Policy "strict-origin-when-cross-origin" always;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" always;

Verifying Headers

Tools and commands to check which headers a site actually sends.

  • curl -I- Quick manual check of response headers from the command line
  • securityheaders.com- Free online scanner that grades a site's header configuration
  • Mozilla Observatory- Detailed analysis and remediation guidance for HTTP security posture
  • CSP Evaluator- Google tool for identifying weaknesses in a Content-Security-Policy
Pro Tip

Roll out a new CSP in Content-Security-Policy-Report-Only mode first, pointed at a report-uri collector, so you can see what legitimate resources would be blocked before enforcing it and breaking production.

Was this cheat sheet helpful?

Explore Topics

#SecurityHeadersDeepDive#SecurityHeadersDeepDiveCheatSheet#Cybersecurity#Intermediate#EssentialSecurityHeaders#Content#Security#Policy#Networking#CheatSheet#SkillVeris