What is the recommended HSTS header value?

A strong baseline is Strict-Transport-Security with max-age=63072000 (two years), includeSubDomains and preload. The long max-age and preload directive let browsers refuse plaintext HTTP before the first request, but only add preload once every subdomain serves HTTPS.

Do I still need X-XSS-Protection?

No. The legacy X-XSS-Protection header is deprecated and modern browsers ignore it; some old versions had bugs that introduced vulnerabilities. The recommended value is 0 to disable the legacy auditor, and you should rely on a strong Content-Security-Policy instead.

What is the difference between X-Frame-Options and CSP frame-ancestors?

Both prevent clickjacking by controlling who can embed your page in a frame. X-Frame-Options is the older header with DENY/SAMEORIGIN values, while CSP frame-ancestors is more flexible and supersedes it. Set both for maximum coverage of old and new browsers.

Is Content-Security-Policy hard to deploy?

CSP is the most powerful header but also the easiest to break a site with. Start in report-only mode using Content-Security-Policy-Report-Only, collect violation reports, then switch to enforcing mode once your allow-list is stable. Prefer nonces or hashes over unsafe-inline.

Which security headers matter most?

If you can only set a few, prioritise Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff and a clickjacking control (frame-ancestors or X-Frame-Options). These cover transport, injection, MIME sniffing and framing — the highest-impact classes.

HTTP Security Headers Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

HTTP security headers are response headers that instruct the browser to enable built-in defences against common web attacks: protocol downgrade, cross-site scripting, clickjacking, MIME sniffing and information leakage. Setting them correctly is one of the cheapest, highest-leverage hardening steps for any site.

How it works

Each header is sent by your server or CDN on every HTTP response. The browser reads the header value and adjusts its behaviour — for example, Strict-Transport-Security makes the browser remember to use HTTPS, and X-Content-Type-Options: nosniff stops it from guessing a resource’s content type. This reference lists the practical security headers, the value you should ship in production, and the specific attack each one mitigates. Search by name or by keyword such as clickjacking, mime, or https.

Recommended baseline

A solid hardened set looks like this — adapt the CSP allow-list to your assets:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
X-Frame-Options: DENY

Notes and tips

Deploy Content-Security-Policy in report-only mode first to avoid breaking legitimate resources. The Permissions-Policy syntax uses an allow-list of origins per feature, where an empty list () disables the feature for everyone. Avoid the deprecated X-XSS-Protection (set it to 0) and Public-Key-Pins (removed from browsers). Always validate header casing is irrelevant but the directive values are case-sensitive for tokens like nosniff and DENY.