Security Headers: Quick Wins for Every Web App
By HackTool Team
Security headers are the lowest-effort, highest-impact hardening you can do for a web application. Each one takes a few minutes to add and blocks entire classes of attacks.
The Essential Headers
Content-Security-Policy (CSP)
CSP tells the browser which sources of content are allowed. A well-configured CSP prevents most XSS attacks because even if an attacker injects a script tag, the browser refuses to execute it.
Start restrictive and loosen as needed. A minimal policy might be: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:
The 'unsafe-inline' for styles is a common concession — many CSS-in-JS libraries need it. Avoid 'unsafe-inline' for scripts whenever possible.
Strict-Transport-Security (HSTS)
HSTS tells browsers to only connect over HTTPS. This prevents SSL stripping attacks where an attacker downgrades the connection to HTTP and intercepts traffic.
Set a long max-age (at least one year) and include subdomains: Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options
Prevents your site from being embedded in iframes, which blocks clickjacking attacks. Set it to DENY or SAMEORIGIN.
CSP's frame-ancestors directive is the modern replacement, but X-Frame-Options provides backward compatibility.
X-Content-Type-Options
Set to "nosniff" to prevent browsers from MIME-sniffing responses. Without this, a browser might interpret a JSON response as HTML, enabling XSS through content type confusion.
Referrer-Policy
Controls how much URL information is sent in the Referer header. Set to strict-origin-when-cross-origin to prevent leaking full URLs (which might contain tokens or sensitive path segments) to external sites.
Permissions-Policy
Restricts browser features like camera, microphone, geolocation, and payment APIs. If your app does not use these features, disable them to reduce attack surface.
Verifying Your Headers
HackTool's security headers module checks all of these automatically and flags missing or misconfigured headers. You can also check manually using browser DevTools — look at the response headers in the Network tab for any page load.
The Takeaway
Adding these headers is a 30-minute task that blocks clickjacking, most XSS, SSL stripping, and MIME confusion attacks. There are very few security improvements with a better effort-to-impact ratio.