Safeey.io
Security Headers

Security Headers That Actually Matter

Small headers, big protection

HTTP response headers are one of the cheapest, highest‑impact security controls you have. A few lines of configuration can block entire classes of attack. Here are the ones worth your attention.

Content-Security-Policy (CSP)

CSP tells the browser which sources of scripts, styles, and other content are allowed. A good policy is your strongest defense against cross‑site scripting (XSS) — even if an attacker injects a script, the browser refuses to run it. It's the single most valuable header, and also the most involved to configure correctly.

Strict-Transport-Security (HSTS)

HSTS forces browsers to always use HTTPS for your domain, defeating downgrade and SSL‑stripping attacks. Use a long max-age, include subdomains, and consider preloading:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

X-Content-Type-Options

Setting X-Content-Type-Options: nosniff stops browsers from guessing a file's type, which prevents certain content‑confusion attacks.

Referrer-Policy and Permissions-Policy

Referrer-Policy controls how much URL information leaks to other sites. Permissions-Policy lets you disable powerful browser features (camera, microphone, geolocation) your site doesn't use, shrinking your attack surface.

Cross-Origin isolation (COOP/COEP/CORP)

These headers cut off cross‑origin side‑channel attacks and are worth adding as defense in depth.

How to check

Every one of these headers is easy to misconfigure or forget. Safeey checks for all of them — and 60+ more — and tells you which are missing and how to set them. Run a scan.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site