Web Security Headers Fundamentals
Threat models, browser enforcement, and directive syntax for every core header, with trade-offs such as HSTS preload irreversibility and CSP breakage risk.
Go to FundamentalsProduction-ready web hardening knowledge base
Secure Your Stack with Verified HTTPS and Header Controls
Implementation-first guidance for developers, sysadmins, and security engineers. Get exact directives, stack-specific syntax, and diagnostics you can run in production.
What this site covers
HTTP response headers are how a server tells the browser to enforce HTTPS, restrict where scripts and frames can load from, and limit what data leaks across origins. Set them correctly and you neutralize whole classes of attacks — protocol downgrades, cross-site scripting, clickjacking, and referrer leakage — before they reach your application logic.
This is a reference for engineers who already know the threat and need the exact configuration. Every page leads with the threat model and spec mechanics, then gives copy-pasteable config blocks for Nginx, Apache, Cloudflare, Node/Express (Helmet), Django and FastAPI, and Vercel/Next.js — followed by literal verification commands and safe rollback steps. No marketing, no hedging.
The material is organized in three parts: the header fundamentals (what each header does and how browsers enforce it), the platform implementation guides (where and how to set them on your stack), and auditing and compliance (how to verify, scan, grade, and monitor what you shipped).
Server & Platform Implementation Guides
Concrete syntax for Nginx, Apache, Cloudflare, Node/Express, FastAPI/Django, and Vercel/Next.js, with the precedence rules that cause duplicate-header bugs.
Go to Implementation GuidesSecurity Header Auditing & Compliance
Verify, scan, grade, and monitor headers across an estate — from a one-pass audit checklist to CI/CD gates and CSP violation telemetry.
Go to Auditing & ComplianceJump to a common task
- Generate per-request CSP noncesCryptographic nonces for inline scripts, regenerated every response.
- Configure HSTS max-age & includeSubDomainsStaged rollout from a short max-age to full preload.
- Fix X-Frame-Options blocking an iframeAllowlist a trusted embedder with frame-ancestors.
- Set CSP in Django middlewaredjango-csp settings and a hand-rolled middleware class.
- Add a nonce-based CSP in Next.jsPer-request nonces from edge middleware.
- Clear client state on logoutPurge cookies, storage, and cache with Clear-Site-Data.
- Audit headers from the command linecurl, openssl, and testssl.sh with expected output.
- Remove version-disclosing headersStrip X-Powered-By and Server across the stack.
Quick verification checks
curl -sI https://your-domain.com | grep -iE 'strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy'
openssl s_client -connect your-domain.com:443 -servername your-domain.com