Web Security · 1 min read

HTTP Security Headers Checklist

HTTP security headers tell browsers how to handle your content. Missing headers leave users vulnerable to clickjacking, MIME sniffing attacks, and man-in-the-middle downgrades. Most can be added with a single line of server configuration, yet a surprising number of production sites skip them.

Try it now

HTTP Response Inspector

Runs in your browser, nothing leaves your device.

Strict-Transport-Security (HSTS) forces HTTPS and prevents downgrade attacks. X-Content-Type-Options: nosniff stops browsers from guessing MIME types, blocking attacks where a text file is interpreted as JavaScript. X-Frame-Options prevents clickjacking by controlling who can embed your page in an iframe. Referrer-Policy controls what URL information leaks to other sites.

The Server header often reveals the web server and version (e.g., Apache/2.4.52). X-Powered-By exposes the framework (e.g., Express, PHP/8.1). These give attackers a head start in finding version-specific exploits. Remove or genericize them in production.

Missing critical headers

Input
Server: Apache/2.4.52 X-Powered-By: PHP/8.1.2
Result
Missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options. Leaks server info.

Security context

Security headers are cheap insurance. They take minutes to add and protect against entire classes of attacks. If a site is missing basic headers like HSTS and X-Content-Type-Options, it's a signal that security wasn't a priority during development.

Content-Security-Policy, because it provides the strongest protection against XSS, which is the most common web vulnerability. HSTS is a close second, as it prevents HTTPS downgrade attacks.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description