~/tools/headers
Security headers checklist
A working reference for hardening a web response: the headers that matter, sensible starting values, and why each one earns its place.
0 / 8 checked
- essential
default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'none'The single most effective control against XSS and data injection. Start from default-src 'none' and allowlist only what the site actually loads.
- essential
max-age=31536000; includeSubDomains; preloadForces HTTPS for future visits, defeating SSL-strip downgrade attacks. Add preload only once you are committed to HTTPS on every subdomain.
- essential
nosniffStops the browser from MIME-sniffing a response into a different, executable content type.
- recommended
DENYClickjacking defense for older browsers. Modern browsers honor CSP frame-ancestors, but this remains a cheap fallback.
- recommended
strict-origin-when-cross-originLimits how much of the URL is leaked in the Referer header on cross-origin navigation.
- recommended
camera=(), microphone=(), geolocation=(), payment=()Explicitly disables powerful browser features the site does not use, shrinking the attack surface.
- situational
same-originIsolates the browsing context from cross-origin windows, a prerequisite for cross-origin isolation and a defense against some side-channel attacks.
- situational
same-originPrevents other origins from embedding your resources, mitigating cross-origin leaks like Spectre-style reads.
This checklist covers response headers. It is not a substitute for testing against a live origin — after deploying, verify with an external scanner such as securityheaders.com or Mozilla Observatory.
Priorities are a rough guide: essential headers belong on nearly every site, recommended ones on most, and situational ones depend on whether you embed or are embedded by other origins. This site's own headers are documented on the architecture page.