10. HTTP Headers
1. HTTP Headers
| Header | Purpose (Simplified) | Example | Protects Against |
|---|---|---|---|
| Content-Security-Policy | Tells the browser what sources (like scripts or images) are safe to load. | Content-Security-Policy: default-src 'self'; script-src 'self' | XSS, data injection, clickjacking |
| Strict-Transport-Security | Makes sure the site always loads with HTTPS (encrypted connection). | Strict-Transport-Security: max-age=31536000; includeSubDomains; preload | SSL stripping, man-in-the-middle (MITM) |
| X-Frame-Options | Blocks other sites from putting your site in a frame or iframe. | X-Frame-Options: DENY | Clickjacking |
| X-Content-Type-Options | Stops browsers from guessing file types—uses the type you say. | X-Content-Type-Options: nosniff | MIME sniffing, running harmful files |
| X-XSS-Protection | Turns on older browser protection against script attacks. (Outdated but still used) | X-XSS-Protection: 1; mode=block | Reflected XSS (in old browsers) |
| Referrer-Policy | Controls how much URL info gets sent to other websites. | Referrer-Policy: no-referrer | Leaking tokens or secrets in URLs |
| Permissions-Policy | Limits what your site can use—like camera, mic, or location. | Permissions-Policy: geolocation=(), microphone=() | Misuse of browser features |
| Set-Cookie Flags | Adds extra security to cookies—like HTTPS only and no JS access. Secure flag = Hide my cookies from unauthorized parties HttpOnly:Cookies cannot be accessed by client side script |
Set-Cookie: id=123; HttpOnly; Secure; SameSite=Strict | XSS, CSRF, cookie theft |