Frequently Asked Questions
What are HTTP security headers?
▼
HTTP security headers are response headers that tell browsers how to behave when handling your site's content. They protect against clickjacking (X-Frame-Options), cross-site scripting (Content-Security-Policy), MIME sniffing (X-Content-Type-Options), and protocol downgrade attacks (HSTS). Read our
complete security headers guide for details on each header.
What is HSTS (Strict-Transport-Security)?
▼
HSTS tells browsers to only connect to your site over HTTPS, even if a user types http:// in the address bar. This prevents SSL-stripping attacks where an attacker downgrades the connection to unencrypted HTTP. Once set, the browser remembers for the specified max-age duration.
What is Content-Security-Policy (CSP)?
▼
Content-Security-Policy defines which sources of content (scripts, styles, images, fonts, frames) are allowed to load on your page. It is one of the most effective defenses against cross-site scripting (XSS). A well-configured CSP prevents injected scripts from executing, even if an attacker finds an injection point.
How do I add security headers to my website?
▼
Security headers are configured on your web server (Apache, Nginx), CDN (Cloudflare, AWS CloudFront), or application framework. Most can be added with a single line of configuration. For example, in Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;