00 Quick Answer
Short answer: the minimum security header set most websites need is Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Together they reduce clickjacking, MIME-sniffing, data leakage, and script injection risk.
Start with a safe baseline, then tighten the policy after testing. Use the deeper guides for CSP, HSTS, and Permissions-Policy if you need implementation details.
01 Why Headers Matter
HTTP headers are the metadata sent between a client (browser) and a server. Security headers are a specific subset of these that instruct the browser on how to behave when handling your website's content.
They are one of the most efficient ways to secure a site because they require zero code changes to your application logic—just a few lines of configuration on your web server or CDN.
02 X-Frame-Options
Purpose: Prevents Clickjacking.
This header tells the browser whether your site is allowed to be embedded in a <iframe>, <frame>, or <object>. If an attacker can embed your site in an iframe on their malicious site, they can trick users into clicking buttons (like "Delete Account") without them knowing.
X-Frame-Options: SAMEORIGIN03 X-Content-Type-Options
Purpose: Prevents MIME-sniffing.
Sometimes browsers try to "guess" the file type regardless of what the server says. This can be dangerous if a user uploads a text file with JavaScript code, and the browser decides to execute it as a script. This header forces the browser to stick to the declared content type.
X-Content-Type-Options: nosniff04 Referrer-Policy
Purpose: Controls how much information is sent in the 'Referer' header.
When a user clicks a link from your site to another, the browser sends the URL of the previous page. This can leak sensitive data (like session IDs in URLs). This header lets you limit what is sent.
Referrer-Policy: strict-origin-when-cross-origin05 Permissions-Policy
Purpose: Controls access to browser features.
Formerly known as Feature-Policy, this header allows you to enable or disable powerful browser features (like geolocation, camera, microphone) for your site and any embedded iframes.
Permissions-Policy: geolocation=(), camera=(), microphone=()06 HSTS & CSP
We've dedicated entire articles to these two because they are so powerful, but they are essential parts of this list:
- Strict-Transport-Security (HSTS): Enforces HTTPS.
- Content-Security-Policy (CSP): Prevents XSS and injection attacks.
07 Frequently Asked Questions
How do I check my security headers?
You can use the LamaniSecure website checker, or browser developer tools (Network tab) to inspect the response headers of your site.
Do headers affect site performance?
Negligibly. The headers themselves are just a few bytes of text. However, a strict CSP might block heavy third-party scripts, which could actually IMPROVE performance.
What is the difference between Feature-Policy and Permissions-Policy?
Permissions-Policy is the newer, renamed version of Feature-Policy. You should prioritize using Permissions-Policy, but some older browsers may still only recognize Feature-Policy.
Can I set these headers in my HTML?
Some headers (like CSP and Referrer-Policy) can be set via <meta> tags, but others (like HSTS and X-Frame-Options) MUST be sent by the server purely as HTTP headers.