Security Headers That Actually Matter
Small headers, big protection
HTTP response headers are one of the cheapest, highest‑impact security controls you have. A few lines of configuration can block entire classes of attack. Here are the ones worth your attention.
Content-Security-Policy (CSP)
CSP tells the browser which sources of scripts, styles, and other content are allowed. A good policy is your strongest defense against cross‑site scripting (XSS) — even if an attacker injects a script, the browser refuses to run it. It's the single most valuable header, and also the most involved to configure correctly.
Strict-Transport-Security (HSTS)
HSTS forces browsers to always use HTTPS for your domain, defeating downgrade and SSL‑stripping attacks. Use a long max-age, include subdomains, and consider preloading:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options
Setting X-Content-Type-Options: nosniff stops browsers from guessing a file's type, which prevents certain content‑confusion attacks.
Referrer-Policy and Permissions-Policy
Referrer-Policy controls how much URL information leaks to other sites. Permissions-Policy lets you disable powerful browser features (camera, microphone, geolocation) your site doesn't use, shrinking your attack surface.
Cross-Origin isolation (COOP/COEP/CORP)
These headers cut off cross‑origin side‑channel attacks and are worth adding as defense in depth.
How to check
Every one of these headers is easy to misconfigure or forget. Safeey checks for all of them — and 60+ more — and tells you which are missing and how to set them. Run a scan.
See what your site exposes
Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.
Scan your site