[{"data":1,"prerenderedAt":316},["ShallowReactive",2],{"blog-glossary/security-header":3},{"id":4,"title":5,"body":6,"category":290,"date":291,"dateModified":292,"description":293,"draft":294,"extension":295,"faq":296,"featured":294,"headerVariant":300,"image":301,"keywords":301,"meta":302,"navigation":303,"ogDescription":304,"ogTitle":305,"path":306,"readTime":307,"schemaOrg":308,"schemaType":309,"seo":310,"sitemap":311,"stem":312,"tags":313,"twitterCard":314,"__hash__":315},"blog/blog/glossary/security-header.md","What are Security Headers? HTTP Response Security",{"type":7,"value":8,"toc":280},"minimark",[9,16,21,24,28,117,121,128,132,135,176,185,189,227,249,268],[10,11,12],"tldr",{},[13,14,15],"p",{},"Security headers are HTTP response headers that tell browsers to enable security features. They protect against XSS, clickjacking, MIME sniffing, and more. Key headers include Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options. Add them via your web server, CDN, or application code.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"When your server sends a page to a browser, it can include instructions about security. \"Do not run inline scripts.\" \"Only load images from these domains.\" \"Force HTTPS.\" These instructions are security headers. Browsers that understand them enable protections that block many common attacks.",[17,25,27],{"id":26},"essential-security-headers","Essential Security Headers",[29,30,31,47],"table",{},[32,33,34],"thead",{},[35,36,37,41,44],"tr",{},[38,39,40],"th",{},"Header",[38,42,43],{},"Purpose",[38,45,46],{},"Protects Against",[48,49,50,62,73,84,95,106],"tbody",{},[35,51,52,56,59],{},[53,54,55],"td",{},"Content-Security-Policy",[53,57,58],{},"Controls resource loading",[53,60,61],{},"XSS, injection",[35,63,64,67,70],{},[53,65,66],{},"Strict-Transport-Security",[53,68,69],{},"Forces HTTPS",[53,71,72],{},"Downgrade attacks",[35,74,75,78,81],{},[53,76,77],{},"X-Content-Type-Options",[53,79,80],{},"Prevents MIME sniffing",[53,82,83],{},"MIME confusion",[35,85,86,89,92],{},[53,87,88],{},"X-Frame-Options",[53,90,91],{},"Controls framing",[53,93,94],{},"Clickjacking",[35,96,97,100,103],{},[53,98,99],{},"Referrer-Policy",[53,101,102],{},"Controls referrer info",[53,104,105],{},"Data leakage",[35,107,108,111,114],{},[53,109,110],{},"Permissions-Policy",[53,112,113],{},"Controls browser features",[53,115,116],{},"Feature abuse",[17,118,120],{"id":119},"example-headers","Example Headers",[122,123,125],"prompt-box",{"title":124},"Recommended starter headers",[13,126,127],{},"Content-Security-Policy: default-src 'self';\nscript-src 'self'; style-src 'self';\nStrict-Transport-Security: max-age=31536000;\nincludeSubDomains\nX-Content-Type-Options: nosniff\nX-Frame-Options: DENY\nReferrer-Policy: strict-origin-when-cross-origin",[17,129,131],{"id":130},"content-security-policy-deep-dive","Content-Security-Policy Deep Dive",[13,133,134],{},"CSP is the most powerful security header. It controls what resources can load on your page:",[136,137,138,146,152,158,164,170],"ul",{},[139,140,141,145],"li",{},[142,143,144],"strong",{},"default-src:"," Fallback for all resource types",[139,147,148,151],{},[142,149,150],{},"script-src:"," Where scripts can load from",[139,153,154,157],{},[142,155,156],{},"style-src:"," Where styles can load from",[139,159,160,163],{},[142,161,162],{},"img-src:"," Where images can load from",[139,165,166,169],{},[142,167,168],{},"connect-src:"," Where fetch/XHR can connect",[139,171,172,175],{},[142,173,174],{},"frame-ancestors:"," Who can frame your page",[177,178,179],"warning-box",{},[13,180,181,184],{},[142,182,183],{},"CSP can break your site."," Start with Content-Security-Policy-Report-Only to log violations without blocking. Fix issues before switching to enforcing mode.",[17,186,188],{"id":187},"adding-security-headers","Adding Security Headers",[136,190,191,197,203,209,215,221],{},[139,192,193,196],{},[142,194,195],{},"Nginx:"," add_header directive",[139,198,199,202],{},[142,200,201],{},"Apache:"," Header set directive",[139,204,205,208],{},[142,206,207],{},"Cloudflare:"," Transform Rules or Workers",[139,210,211,214],{},[142,212,213],{},"Vercel:"," vercel.json headers config",[139,216,217,220],{},[142,218,219],{},"Express:"," helmet middleware",[139,222,223,226],{},[142,224,225],{},"Next.js:"," next.config.js headers",[228,229,230,237,243],"faq-section",{},[231,232,234],"faq-item",{"question":233},"Which security headers should I implement?",[13,235,236],{},"At minimum: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options (prevents MIME sniffing), X-Frame-Options (prevents clickjacking). Also consider Permissions-Policy, Referrer-Policy, and Cross-Origin headers for additional protection.",[231,238,240],{"question":239},"How do I add security headers to my site?",[13,241,242],{},"Add them in your web server config (nginx, Apache), CDN settings (Cloudflare, Vercel), or application code (Express middleware, Next.js config). The method depends on your stack. Start with report-only mode for CSP to avoid breaking your site.",[231,244,246],{"question":245},"How do I test my security headers?",[13,247,248],{},"Use online scanners like securityheaders.com or Mozilla Observatory. Check browser developer tools Network tab to see response headers. CSP violations appear in the browser console. Start with report-only mode for CSP to find issues before enforcing.",[250,251,252,258,263],"related-articles",{},[253,254],"related-card",{"description":255,"href":256,"title":257},"Content Security Policy","/blog/glossary/csp","CSP",[253,259],{"description":260,"href":261,"title":262},"Force HTTPS","/blog/glossary/hsts","HSTS",[253,264],{"description":265,"href":266,"title":267},"What CSP prevents","/blog/glossary/xss","XSS",[269,270,273,277],"cta-box",{"href":271,"label":272},"/","Start Free Scan",[17,274,276],{"id":275},"check-your-headers","Check Your Headers",[13,278,279],{},"Scan your site for missing security headers.",{"title":281,"searchDepth":282,"depth":282,"links":283},"",2,[284,285,286,287,288,289],{"id":19,"depth":282,"text":20},{"id":26,"depth":282,"text":27},{"id":119,"depth":282,"text":120},{"id":130,"depth":282,"text":131},{"id":187,"depth":282,"text":188},{"id":275,"depth":282,"text":276},"glossary","2026-01-12","2026-02-24","Learn what security headers are, which ones to implement, and how they protect your web application from common attacks.",false,"md",[297,298,299],{"question":233,"answer":236},{"question":239,"answer":242},{"question":245,"answer":248},"green",null,{},true,"Security headers protect browsers from XSS, clickjacking, and other attacks. Learn which to implement.","What are Security Headers?","/blog/glossary/security-header","5 min read","[object Object]","DefinedTerm",{"title":5,"description":293},{"loc":306},"blog/glossary/security-header",[],"summary_large_image","uiESFUNsRyS-Z3xS_pbEf8pmomAe6-iIzJbEt_H5Uc0",1775843922058]