Kuality

HTTP Security Headers: The Complete 2026 Guide

Profile
Yves Soete Follow

Apr 20, 2026 · 8 min read

HTTP security headers are the fastest wins in web security. A few response headers can eliminate entire classes of attacks — clickjacking, XSS, MIME-sniffing, and information disclosure — without touching a line of application code. Most sites are still missing at least three of them.

Here's a practical guide to the headers that matter in 2026, what each one does, and what a production-ready value looks like.

The six headers that matter most

1. Content-Security-Policy (CSP)

CSP is the most powerful and most commonly misconfigured header. It tells browsers which sources are allowed to load scripts, styles, images, and frames. A well-configured CSP eliminates most XSS attack vectors. 

Content-Security-Policy: default-src 'self';
  script-src 'self' https://cdn.example.com;
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

The trap most teams fall into: unsafe-inline and unsafe-eval. Both effectively disable XSS protection. If your existing code requires them, migrate to nonces or hashes rather than keeping the unsafe directives.

Start with Content-Security-Policy-Report-Only to audit violations without blocking anything, then tighten it over several deploys.

2. Strict-Transport-Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain, preventing downgrade attacks. Once set, the browser ignores any HTTP responses for the configured duration. 

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Use max-age=31536000 (one year) minimum. Add preload only after confirming all subdomains serve HTTPS — the preload list is hard to remove from once added. Once you're confident, submit to hstspreload.org.

3. X-Frame-Options

Prevents clickjacking by controlling whether your pages can be embedded in iframes. If you have a CSP with frame-ancestors, you don't strictly need this — but set it anyway for older browsers. 

X-Frame-Options: DENY

Use DENY unless you intentionally embed your pages in iframes (then SAMEORIGIN).

4. X-Content-Type-Options

Prevents MIME-sniffing. Without this header, browsers may try to guess a file's content type, which attackers can exploit to execute scripts disguised as images or text files. 

X-Content-Type-Options: nosniff

This is a one-liner with no downsides. No reason not to have it.

5. Referrer-Policy

Controls how much referrer information is included when navigating from your site. The default browser behavior leaks full URLs to third parties — including authenticated paths. 

Referrer-Policy: strict-origin-when-cross-origin

strict-origin-when-cross-origin is the pragmatic default: sends the full URL for same-origin requests (preserving analytics) and only the origin for cross-origin requests.

6. Permissions-Policy

The replacement for the older Feature-Policy header. Controls which browser features (camera, microphone, geolocation, payment, etc.) your pages can use or grant to embedded frames. 

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Disabling features you don't use reduces your attack surface area. If a third-party script gets compromised, it can't silently activate the camera if you've locked it out with this header.

The two you should remove

Some headers are actively harmful or deprecated:

  • X-XSS-Protection: Disabled or removed in all modern browsers. In some configurations it can introduce vulnerabilities. Set it to 0 (disabled) or omit it entirely — never 1; mode=block.
  • Server: Remove or neutralize this header. Broadcasting your server software and version (nginx/1.18.0) just helps attackers target known CVEs.

How to test your headers

The fastest audit: paste your URL into Kuality's header scanner. It checks all six headers above, flags missing or misconfigured values, and gives you a prioritized fix list. Alternatively, curl -I https://yoursite.com gives you the raw headers to inspect manually.

For CI/CD, use Kuality's quality gates to block deploys that regress your header score — a common problem when CDN configs or proxy layers are changed without testing the security headers they pass through.

Implementation priority

If you're starting from scratch, implement in this order:

  1. HSTS — 30 minutes. One line in nginx/Caddy/CloudFront config. Zero downside.
  2. X-Content-Type-Options and X-Frame-Options — 10 minutes. Both are one-liners.
  3. Referrer-Policy — 5 minutes. Set it and move on.
  4. Permissions-Policy — 15 minutes. List only the features you actually use.
  5. CSP — 2–8 hours. Start in report-only mode, fix violations, tighten gradually.

CSP gets its own timeline because it requires inventory: knowing what scripts and styles your site loads. The other headers are set-and-forget.

Kuality audits all six headers automatically and tracks your score over time. Run a free scan at kuality.io/getstarted.

Version 1.0.65