Security Headers
ELI5 — The Vibe Check
Security Headers are HTTP response headers that tell browsers 'here's how to protect my users.' Block XSS, prevent clickjacking, stop MIME sniffing — all with a few headers. It's free security that most sites forget to set. Go check yours on securityheaders.com right now.
Real Talk
HTTP security headers instruct browsers to enable protective mechanisms: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. They mitigate XSS, clickjacking, protocol downgrade, and information leakage attacks.
Show Me The Code
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Permissions-Policy: camera=(), microphone=()
When You'll Hear This
"Our security headers score A+ on securityheaders.com." / "CSP blocks inline scripts — it's the most impactful security header you can set."
Related Terms
Content Security Policy Headers
CSP tells the browser exactly where scripts, styles, images, and other resources are allowed to load from. If a hacker injects a script pointing to evil.
HSTS (HSTS)
HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.
OWASP (OWASP)
OWASP (Open Web Application Security Project) is the internet's biggest security club.