| Content-Security-Policy |
Tells the browser what sources (like scripts or images) are safe to load. |
Content-Security-Policy: default-src 'self'; script-src 'self' |
XSS, data injection, clickjacking |
| Strict-Transport-Security |
Makes sure the site always loads with HTTPS (encrypted connection). |
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload |
SSL stripping, man-in-the-middle (MITM) |
| X-Frame-Options |
Blocks other sites from putting your site in a frame or iframe. |
X-Frame-Options: DENY |
Clickjacking |
| X-Content-Type-Options |
Stops browsers from guessing file types—uses the type you say. |
X-Content-Type-Options: nosniff |
MIME sniffing, running harmful files |
| X-XSS-Protection |
Turns on older browser protection against script attacks. (Outdated but still used) |
X-XSS-Protection: 1; mode=block |
Reflected XSS (in old browsers) |
| Referrer-Policy |
Controls how much URL info gets sent to other websites. |
Referrer-Policy: no-referrer |
Leaking tokens or secrets in URLs |
| Permissions-Policy |
Limits what your site can use—like camera, mic, or location. |
Permissions-Policy: geolocation=(), microphone=() |
Misuse of browser features |
| Set-Cookie Flags |
Adds extra security to cookies—like HTTPS only and no JS access. |
Set-Cookie: id=123; HttpOnly; Secure; SameSite=Strict |
XSS, CSRF, cookie theft |