Which headers matter most first?

Start with Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and a safe Referrer-Policy.

Can a strict CSP break production?

Yes if rolled out too aggressively. Use report-only mode first, then harden incrementally.

Fix Guide

Security Headers Checklist 2026: CSP, HSTS, and Cookie Hardening

Q: Do headers replace secure coding?

No. Headers reduce exploitability but must complement secure coding, patching, and access controls.

Published Feb 27, 2026 10 min read By AI QA Monkey Security Team

Table of Contents

Why Security Headers Matter
HSTS — Strict-Transport-Security
Content-Security-Policy (CSP)
X-Content-Type-Options
Referrer-Policy
Frame Protection
Cookie Security Flags
Implementation: Nginx and Apache
FAQ

Security headers are one of the fastest hardening wins available. They reduce browser-level attack surface — blocking XSS exploitation, clickjacking, protocol downgrade, and MIME sniffing — with minimal engineering overhead when implemented correctly.

Why Security Headers Matter in 2026

Browser security models have evolved significantly. Modern headers give you direct control over how browsers handle your content:

XSS mitigation: CSP blocks inline script execution and restricts untrusted script sources — even if your app has an XSS vulnerability, a strict CSP prevents most exploitation.
Protocol enforcement: HSTS prevents browsers from connecting over HTTP after the first HTTPS visit, blocking SSL stripping attacks.
Clickjacking prevention: CSP frame-ancestors blocks your pages from being embedded in malicious iframes on attacker sites.
Data leakage control: Referrer-Policy prevents your internal URLs and parameters from appearing in third-party request logs.

According to scan data from AI QA Monkey, over 60% of websites are missing one or more critical security headers in production.

1. Strict-Transport-Security (HSTS)

HSTS instructs browsers to always connect over HTTPS, even if the user types http://. It prevents SSL stripping attacks and protocol downgrade attempts.

# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# Apache (.htaccess)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# PHP
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

max-age=31536000: 1 year. Start with 300 (5 minutes) in testing, then increase.
includeSubDomains: Applies HSTS to all subdomains. Only add if all subdomains serve HTTPS.
preload: Submit to the HSTS preload list at hstspreload.org for maximum protection. Irreversible — verify all subdomains are HTTPS-only before adding.

2. Content-Security-Policy (CSP)

CSP is the most powerful security header and the hardest to configure correctly. It defines which sources of content (scripts, styles, images, fonts, API calls) are allowed to load.

# Strict CSP example (no inline scripts)
Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.example.com;
  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
  img-src 'self' data: https:;
  font-src 'self' https://fonts.gstatic.com;
  connect-src 'self' https://api.example.com;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

# Start in report-only mode first
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

CSP rollout process:

Deploy in Content-Security-Policy-Report-Only mode with a report URI.
Monitor violations for 1 week to identify all legitimate sources.
Update policy to allow legitimate sources explicitly.
Switch to enforcing Content-Security-Policy.
Keep report-uri active to catch regressions.

3. X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content type. A single-line addition — no excuses for missing it.

# Nginx
add_header X-Content-Type-Options "nosniff" always;

# Apache
Header always set X-Content-Type-Options "nosniff"

# PHP
header('X-Content-Type-Options: nosniff');

4. Referrer-Policy

Controls how much referrer information is sent when users navigate from your site to external pages. Prevents sensitive URLs from leaking to analytics and advertising platforms.

# Recommended: no-referrer-when-downgrade or strict-origin-when-cross-origin
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Most restrictive (breaks some analytics)
add_header Referrer-Policy "no-referrer" always;

5. Frame Protection (CSP frame-ancestors)

Prevents your pages from being embedded in iframes on other domains, blocking clickjacking attacks. Use CSP frame-ancestors in preference to the deprecated X-Frame-Options.

# Modern approach via CSP
Content-Security-Policy: frame-ancestors 'none';     # Block all embedding
Content-Security-Policy: frame-ancestors 'self';     # Allow same-origin only

# Legacy fallback (still add for older browsers)
add_header X-Frame-Options "SAMEORIGIN" always;

6. Cookie Security Flags

Every session cookie must have all three flags: Secure, HttpOnly, and SameSite.

# PHP: Set secure session cookie params
session_set_cookie_params([
    'secure'   => true,      // HTTPS only
    'httponly' => true,      // No JS access
    'samesite' => 'Strict',  // No cross-site requests
    'lifetime' => 0,         // Session cookie
    'path'     => '/',
]);
session_start();

# Node.js / Express
app.use(session({
  cookie: {
    secure: true,
    httpOnly: true,
    sameSite: 'strict',
  }
}));

Secure: Cookie only sent over HTTPS. Required on all production session cookies.
HttpOnly: JavaScript cannot access the cookie. Blocks XSS-based session token theft.
SameSite=Strict: Cookie not sent on cross-site requests. Blocks CSRF. Use Lax if you need cookies on top-level navigation from external links.

Full Implementation: Nginx and Apache

# Nginx — add to server {} block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Add CSP separately after testing in report-only mode

# Apache — add to .htaccess or VirtualHost

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Frame-Options "SAMEORIGIN"

Check your headers in under 60 seconds

Run a live scan and get missing/weak header findings with exact fix commands for your server.

Run Free Header Scan

Frequently Asked Questions

Which headers should we implement first?

In order: HSTS (prevents protocol downgrade), X-Content-Type-Options (trivial to add), Referrer-Policy (no functional impact), then CSP in report-only mode. X-Frame-Options can be added anytime.

Can CSP break site functionality?

Yes — if you have inline scripts, inline styles, or third-party script sources that are not whitelisted. Always deploy CSP in Content-Security-Policy-Report-Only mode first, monitor violations for one week, then switch to enforcing mode.

Do headers replace secure coding practices?

No. Headers reduce the exploitability of vulnerabilities but do not eliminate them. Combine headers with input validation, output encoding, parameterized queries, and dependency management.

How do I verify headers are set correctly?

Run the AI QA Monkey free scanner — it checks all security headers in your live production response and flags missing or misconfigured headers with specific fix guidance.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →