HTTP response headers are metadata your server sends alongside every response. A handful have major security implications. Setting them correctly takes minutes; ignoring them leaves exploitable attack surface open.

Strict-Transport-Security (HSTS)

Tells browsers to always use HTTPS — even if the user types http:// or follows an HTTP link. Eliminates SSL-stripping attacks.

Recommended: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Warning: Start with a short max-age while testing. A long max-age is a commitment — browsers will refuse HTTP for that duration.

Content-Security-Policy (CSP)

Defines exactly which sources of scripts, styles, and images are permitted. Your primary defence against XSS attacks.

Starting policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none';

Tip: Deploy in report-only mode first (Content-Security-Policy-Report-Only) to surface violations without breaking anything.

X-Frame-Options

Controls whether your pages can be embedded in iframes. Without it, attackers use clickjacking to trick users into unintended actions.

Recommended: X-Frame-Options: DENY

X-Content-Type-Options

Prevents MIME-sniffing — guessing file types by content rather than declared Content-Type.

Value: X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much of the referring URL is shared — preventing leakage of session tokens or sensitive paths in query strings.

Recommended: Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Controls which browser APIs your app can use — camera, microphone, geolocation, payment, etc.

Example: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Headers to Remove

Remove or suppress: X-Powered-By, Server, and X-AspNet-Version — they expose your stack to fingerprinting.

Test Your Headers Now

Use our free security scanner to check your headers instantly. For a full audit, get in touch with EX-N.