[{"data":1,"prerenderedAt":327},["ShallowReactive",2],{"blog-prompts/add-security-headers":3},{"id":4,"title":5,"body":6,"category":306,"date":307,"dateModified":308,"description":309,"draft":310,"extension":311,"faq":312,"featured":310,"headerVariant":313,"image":312,"keywords":312,"meta":314,"navigation":315,"ogDescription":316,"ogTitle":312,"path":317,"readTime":312,"schemaOrg":318,"schemaType":319,"seo":320,"sitemap":321,"stem":322,"tags":323,"twitterCard":325,"__hash__":326},"blog/blog/prompts/add-security-headers.md","Add Security Headers with AI Prompts",{"type":7,"value":8,"toc":297},"minimark",[9,16,21,24,64,68,76,102,112,116,123,169,173,184,218,227,243,247,250,271,285],[10,11,12],"tldr",{},[13,14,15],"p",{},"Security headers tell browsers how to handle your content. HSTS forces HTTPS, CSP blocks XSS, X-Frame-Options prevents clickjacking. Most are one-time setup but provide ongoing protection. These prompts help you configure headers for your specific platform.",[17,18,20],"h2",{"id":19},"essential-security-headers","Essential Security Headers",[13,22,23],{},"Copy this prompt to generate all six essential security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) configured for your platform. Your AI will produce the exact configuration syntax for Next.js, Express, or Nginx.",[25,26,28,36,39,61],"prompt-box",{"title":27},"Add All Essential Headers",[13,29,30,31,35],{},"Add security headers to my ",[32,33,34],"span",{},"Next.js/Express/Nginx"," application.",[13,37,38],{},"Essential headers to add:",[40,41,42,46,49,52,55,58],"ol",{},[43,44,45],"li",{},"Strict-Transport-Security (HSTS)\nmax-age=31536000; includeSubDomains; preload\nForces HTTPS for one year",[43,47,48],{},"Content-Security-Policy (CSP)\ndefault-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\nControls what resources can load (see CSP page for details)",[43,50,51],{},"X-Frame-Options\nDENY or SAMEORIGIN\nPrevents clickjacking by blocking iframe embedding",[43,53,54],{},"X-Content-Type-Options\nnosniff\nPrevents MIME type sniffing attacks",[43,56,57],{},"Referrer-Policy\nstrict-origin-when-cross-origin\nControls referrer information leakage",[43,59,60],{},"Permissions-Policy\ngeolocation=(), camera=(), microphone=()\nDisables browser features you don't use",[13,62,63],{},"Show me how to configure these for my specific platform.",[17,65,67],{"id":66},"nextjs-security-headers","Next.js Security Headers",[13,69,70,71,75],{},"Paste this prompt to get a complete ",[72,73,74],"code",{},"next.config.js"," headers configuration with all security headers pre-filled. Your AI will generate the headers array with HSTS, frame protection, content-type sniffing prevention, and referrer controls ready to deploy.",[25,77,79,82,85,92,99],{"title":78},"Next.js Configuration",[13,80,81],{},"Configure security headers in my Next.js app.",[13,83,84],{},"In next.config.js:",[13,86,87,88,91],{},"const securityHeaders = ",[32,89,90],{},"\n{\nkey: 'Strict-Transport-Security',\nvalue: 'max-age=31536000; includeSubDomains'\n},\n{\nkey: 'X-Frame-Options',\nvalue: 'DENY'\n},\n{\nkey: 'X-Content-Type-Options',\nvalue: 'nosniff'\n},\n{\nkey: 'Referrer-Policy',\nvalue: 'strict-origin-when-cross-origin'\n},\n{\nkey: 'Permissions-Policy',\nvalue: 'camera=(), microphone=(), geolocation=()'\n}\n",";",[13,93,94,95,98],{},"module.exports = {\nasync headers() {\nreturn ",[32,96,97],{},"\n{\nsource: '/:path*',\nheaders: securityHeaders,\n},\n",";\n},\n};",[13,100,101],{},"For CSP, consider using @next/headers or middleware for dynamic nonces.",[103,104,105],"warning-box",{},[13,106,107,111],{},[108,109,110],"strong",{},"Test before deploying:"," Overly strict headers can break your site. Start with report-only mode for CSP and test all functionality before enforcing.",[17,113,115],{"id":114},"express-security-headers","Express Security Headers",[13,117,118,119,122],{},"Use this prompt to add security headers to your Express app using the Helmet middleware. Your AI will generate the full ",[72,120,121],{},"helmet()"," configuration with CSP directives, HSTS settings, frame protection, and referrer policy tuned to your app's needs.",[25,124,126,129,132,135,166],{"title":125},"Express with Helmet",[13,127,128],{},"Add security headers to my Express app using Helmet.",[13,130,131],{},"npm install helmet",[13,133,134],{},"const helmet = require('helmet');",[13,136,137,138,141,142,144,145,148,149,152,153,155,156,158,159,162,163,165],{},"app.use(helmet({\ncontentSecurityPolicy: {\ndirectives: {\ndefaultSrc: ",[32,139,140],{},"\"'self'\"",",\nscriptSrc: ",[32,143,140],{},",\nstyleSrc: ",[32,146,147],{},"\"'self'\", \"'unsafe-inline'\"",",\nimgSrc: ",[32,150,151],{},"\"'self'\", \"data:\", \"https:\"",",\nconnectSrc: ",[32,154,140],{},",\nfontSrc: ",[32,157,140],{},",\nobjectSrc: ",[32,160,161],{},"\"'none'\"",",\nframeAncestors: ",[32,164,161],{},",\n},\n},\nhsts: {\nmaxAge: 31536000,\nincludeSubDomains: true,\n},\nframeguard: { action: 'deny' },\nreferrerPolicy: { policy: 'strict-origin-when-cross-origin' },\n}));",[13,167,168],{},"Helmet sets sensible defaults. Customize based on your needs.\nFor development, you may need to disable some headers temporarily.",[17,170,172],{"id":171},"nginx-security-headers","Nginx Security Headers",[13,174,175,176,179,180,183],{},"Copy this prompt to generate an Nginx server block with all security headers configured. Your AI will produce ",[72,177,178],{},"add_header"," directives for HSTS, CSP, frame options, content-type protection, and server version hiding with the ",[72,181,182],{},"always"," flag for error pages.",[25,185,187,190,193,196,206,209],{"title":186},"Nginx Configuration",[13,188,189],{},"Add security headers in Nginx configuration.",[13,191,192],{},"In your server block:",[13,194,195],{},"server {\n# Security headers\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\nadd_header X-Frame-Options \"DENY\" always;\nadd_header X-Content-Type-Options \"nosniff\" always;\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\nadd_header Permissions-Policy \"camera=(), microphone=(), geolocation=()\" always;",[197,198,203],"pre",{"className":199,"code":201,"language":202},[200],"language-text","# CSP (customize for your app)\nadd_header Content-Security-Policy \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'none'; frame-ancestors 'none';\" always;\n\n# Hide server version\nserver_tokens off;\n\n# ... rest of config\n","text",[72,204,201],{"__ignoreMap":205},"",[13,207,208],{},"}",[13,210,211,212],{},"Use \"always\" to add headers to error pages too.\nTest with: curl -I ",[213,214,215],"a",{"href":215,"rel":216},"https://yoursite.com",[217],"nofollow",[219,220,221],"tip-box",{},[13,222,223,226],{},[108,224,225],{},"Pro tip:"," Test your headers at securityheaders.com - it scans your site and grades your security header configuration with specific recommendations.",[228,229,230,237],"faq-section",{},[231,232,234],"faq-item",{"question":233},"Will these headers break my site?",[13,235,236],{},"They might if too strict. Start with permissive settings and tighten gradually. CSP is the most likely to cause issues - use report-only mode first.",[231,238,240],{"question":239},"Do I need all of these headers?",[13,241,242],{},"HSTS, X-Frame-Options, and X-Content-Type-Options are easy wins with minimal risk. CSP is more work but provides the best XSS protection. Start with the easy ones.",[17,244,246],{"id":245},"further-reading","Further Reading",[13,248,249],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[251,252,253,259,265],"ul",{},[43,254,255],{},[213,256,258],{"href":257},"/blog/how-to/add-security-headers","How to add security headers",[43,260,261],{},[213,262,264],{"href":263},"/blog/best-practices/authentication","Authentication best practices",[43,266,267],{},[213,268,270],{"href":269},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[272,273,274,280],"related-articles",{},[275,276],"related-card",{"description":277,"href":278,"title":279},"Detailed CSP setup","/blog/prompts/add-csp-headers","Add CSP Headers",[275,281],{"description":282,"href":283,"title":284},"SSL/TLS setup","/blog/prompts/configure-https","Configure HTTPS",[286,287,290,294],"cta-box",{"href":288,"label":289},"/","Start Free Scan",[17,291,293],{"id":292},"check-your-security-headers","Check Your Security Headers",[13,295,296],{},"Scan your site for missing or misconfigured security headers.",{"title":205,"searchDepth":298,"depth":298,"links":299},2,[300,301,302,303,304,305],{"id":19,"depth":298,"text":20},{"id":66,"depth":298,"text":67},{"id":114,"depth":298,"text":115},{"id":171,"depth":298,"text":172},{"id":245,"depth":298,"text":246},{"id":292,"depth":298,"text":293},"prompts","2026-02-13","2026-03-06","AI prompts to add essential security headers. Configure CSP, HSTS, X-Frame-Options, and other headers to protect your application from common attacks.",false,"md",null,"cyan",{},true,"AI prompts to configure security headers for your web application.","/blog/prompts/add-security-headers","[object Object]","BlogPosting",{"title":5,"description":309},{"loc":317},"blog/prompts/add-security-headers",[324],"Deployment","summary_large_image","SAdoClkLtjf5DkKSV_l0N17g1mMxZb3RxsrHZPZ8q4g",1775843921476]