MetricPoints logo
Features Pricing Docs Blog Security Checker FREE TOOL CSP Policy Builder FREE TOOL Login Get Started Features
Web Security Tutorials 16 min read

Security Headers: Complete Implementation Guide

Learn about essential security headers beyond CSP, including HSTS, X-Frame-Options, and more.

MetricPoints Team
September 19, 2025

Essential Security Headers

HTTP security headers provide an additional layer of protection by instructing browsers on how to handle your web pages securely.

Content Security Policy (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';

CSP helps prevent XSS attacks by controlling resource loading:

HTTP Strict Transport Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS forces browsers to use HTTPS connections:

X-Frame-Options

X-Frame-Options: DENY
// or
X-Frame-Options: SAMEORIGIN

Prevents your site from being embedded in frames (clickjacking protection):

X-Content-Type-Options

X-Content-Type-Options: nosniff

Prevents MIME type sniffing attacks:

Referrer Policy

Referrer-Policy: strict-origin-when-cross-origin

Controls how much referrer information is sent with requests:

Permissions Policy

Permissions-Policy: geolocation=(), microphone=(), camera=()

Controls which browser features your site can use:

Implementation Example

# Apache .htaccess
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

Here's how to implement all headers in a web server configuration:

Tags

Security-headers Hsts Security

Related Articles

Back to Blog