AISeenTry Free
Try Free
Back to blog
SecurityHeadersOWASP

HTTP Security Headers: The Complete Guide for 2026

Missing security headers are one of the most common website vulnerabilities. Learn what each header does, why it matters, and how to add it in under 5 minutes.

A
AISeen Team
··8 min read

HTTP security headers are one-line server configurations that instruct browsers how to handle your site's content. They prevent a wide range of attacks — from clickjacking to cross-site scripting — without requiring any changes to your application code.

The Six Critical Headers

1. Content-Security-Policy (CSP)

CSP is the most powerful header for preventing XSS attacks. It defines a whitelist of sources from which scripts, styles, images, and other resources can be loaded. A misconfigured CSP blocks legitimate resources; a missing CSP allows any script from any source.

Start with a report-only policy to audit violations before enforcing:

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://cdn.example.com; report-uri /csp-violations

2. Strict-Transport-Security (HSTS)

HSTS forces browsers to use HTTPS for all future requests to your domain, even if the user types http://. Without HSTS, an attacker on the same network can downgrade your connection.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

3. X-Frame-Options / frame-ancestors

Prevents your pages from being embedded in iframes on other sites (clickjacking). The modern CSP frame-ancestors directive replaces the older X-Frame-Options header.

4. X-Content-Type-Options

Stops browsers from MIME-sniffing a response away from the declared content type. One line, maximum protection:

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much referrer information is included with outgoing requests. strict-origin-when-cross-origin is the recommended default: it sends the full URL to same-origin requests but only the origin to cross-origin requests.

6. Permissions-Policy

Restricts access to browser APIs (camera, microphone, geolocation) from your pages and embedded third-party content. Even if you don't use these APIs, restricting them prevents third-party scripts from abusing them.

How AISeen Checks Your Headers

AISeen's Security Score audits all six critical headers plus HTTPS configuration, cookie flags, and information leakage (e.g., server version disclosure in response headers). Each missing or misconfigured header deducts points from your score.

Frequently Asked Questions

How do I add security headers in Next.js?
Add a headers() function to next.config.js. The function returns an array of header objects, each with a source pattern and an array of {key, value} pairs. Vercel deployments also support adding headers via vercel.json.
Will adding a CSP break my site?
A strict CSP can block inline scripts and styles if your code uses them. Use Content-Security-Policy-Report-Only first to monitor violations in production without breaking anything, then tighten the policy incrementally.
What does AISeen's Security Score consider 'critical'?
HTTPS presence, HSTS, and X-Content-Type-Options are marked Critical (highest deduction). CSP, X-Frame-Options, and Permissions-Policy are High. Information leakage (server header disclosure) is Medium.

Check your site's scores now

SEO, GEO, Security, Speed & more — free audit in under 30 seconds.

Audit your site free →

Related articles

GEO

What Is GEO Score and Why It Matters in 2026

·5 min read
Speed

Core Web Vitals Checklist: Speed Optimization in 2026

·7 min read