Quiz Entry - updated: 2026.07.14
How do you configure secure HTTP response headers to prevent common attacks?
Set security headers on every response — a handful of one-line HTTP headers that form the browser-side first line of defence against XSS, clickjacking, protocol downgrade, and data leaks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Cache-Control: no-store
| Header | Prevents | Impact of missing |
|---|---|---|
| HSTS | Protocol downgrade, cookie hijacking | Users can be redirected to HTTP |
| CSP | XSS, data injection | Injected scripts can execute freely |
| X-Content-Type-Options | MIME-type sniffing | Browser may execute uploaded files as scripts |
| X-Frame-Options | Clickjacking | Site can be embedded in malicious iframe |
| Referrer-Policy | URL leakage to third parties | Sensitive URL parameters exposed |
| Permissions-Policy | Unwanted API access | Embedded content can access camera, mic |
| Cache-Control: no-store | Cached sensitive data | Sensitive responses stored on disk |
See: OWASP Secure Headers Project | securityheaders.com — scan your site's headers
Go deeper:
MDN — Content Security Policy (CSP) — reference for the CSP header.
OWASP CSP Cheat Sheet — practical hardening for the security-headers set.