Security Headers

HSTS

Strict-Transport-Security tells browsers to always use HTTPS. Without it, a man-in-the-middle attacker can downgrade ...

Hsts Year

HSTS max-age should be at least 31,536,000 seconds (1 year). Shorter values weaken the protection.

Hsts Subdomains

includeSubDomains extends HSTS to all subdomains. Critical if you have api.example.com, app.example.com, etc.

Content Security Policy

Content-Security-Policy is the single most powerful XSS defense. Restricts where scripts/styles/images can load from.

Csp No Unsafe Inline

Csp No Unsafe Eval

Xfo

X-Frame-Options prevents clickjacking. DENY (no framing) or SAMEORIGIN (only own site can frame).

Xcto

X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing — blocks certain XSS attacks.

Referrer-Policy

Referrer-Policy controls what URL info is sent in Referer header. strict-origin-when-cross-origin is the modern default.

Permissions-Policy

Permissions-Policy controls browser features (camera, mic, geolocation). Disable what you don

Coop

Cross-Origin-Opener-Policy isolates your top-level browsing context — protects against tabnabbing and Spectre.

Corp

Cross-Origin-Resource-Policy controls which sites can embed your resources. Prevents resource-based attacks.

Server Header

Server header revealing exact version (e.g., Apache/2.4.41) helps attackers find known vulnerabilities. Hide it.

X-Powered-By

X-Powered-By header reveals tech stack (PHP version, framework). Provides attackers with reconnaissance data.

Cookie Secure

Secure flag ensures cookies only sent over HTTPS. Without it, cookies leak on first HTTP request.

Cookie HttpOnly

HttpOnly flag prevents JavaScript from reading session cookies. Critical XSS mitigation.

Cookie SameSite

SameSite=Lax (or Strict) prevents cookies being sent on cross-site requests — main CSRF defense.