Introduction
Your web application may use encryption, firewalls, and endpoint protection — but all of that can be bypassed if your HTTP security headers are misconfigured or missing.
Security headers are low-effort, high-impact protections that instruct browsers how to behave when rendering your site. When set correctly, they mitigate risks like cross-site scripting (XSS), clickjacking, data leaks, and insecure content loading.
Yet many sites leave them out entirely.
In this post, we’ll cover the six most critical HTTP headers, what they do, and how Breachfin continuously audits them to harden your client-side security.
1. Content-Security-Policy (CSP)
The CSP header controls which content sources the browser can trust and execute — including scripts, styles, images, fonts, and iframes.
Why it matters:
CSP is one of the most effective defenses against XSS and malicious script injections.
Example:
Content-Security-Policy: script-src 'self' https://trusted.cdn.com; object-src 'none';
Without it:
Attackers can inject JavaScript through query strings, comment boxes, or third-party libraries.
2. Strict-Transport-Security (HSTS)
This header forces browsers to only connect via HTTPS, even if users type http://.
Why it matters:
Protects against protocol downgrade attacks and cookie hijacking via unsecured channels.
Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Without it:
Your site could be accessed over unencrypted HTTP — especially by first-time visitors.
3. X-Content-Type-Options
This prevents the browser from “sniffing” the MIME type of content and executing it incorrectly (e.g., treating an image as a script).
Why it matters:
Mitigates certain drive-by download and MIME confusion attacks.
Example:
X-Content-Type-Options: nosniff
Without it:
Browsers may interpret untrusted content incorrectly, leading to security exploits.
4. X-Frame-Options
This header prevents your site from being embedded in an iframe on another domain.
Why it matters:
Protects against clickjacking — a technique where users are tricked into clicking invisible UI elements.
Example:
X-Frame-Options: DENY
Without it:
Your payment or login page could be hidden inside another site and abused.
5. Referrer-Policy
Controls how much referrer information the browser includes in requests when navigating away from your site.
Why it matters:
Protects user privacy and prevents leaking sensitive URLs to third parties.
Example:
Referrer-Policy: strict-origin-when-cross-origin
Without it:
Sensitive URL parameters (like tokens or email addresses) may be leaked to external domains.
6. Permissions-Policy (formerly Feature-Policy)
This header restricts the use of powerful browser features like geolocation, camera, microphone, and clipboard access.
Why it matters:
Reduces the attack surface from malicious iframes or scripts abusing browser APIs.
Example:
Permissions-Policy: geolocation=(), microphone=(), camera=()
Without it:
Third-party scripts embedded in your site could request dangerous permissions without your knowledge.
How Breachfin Monitors and Enforces Header Security
Breachfin’s scanner automatically:
- Audits your HTTP response headers on every scan
- Flags missing, misconfigured, or deprecated headers
- Assigns a Header Security Score based on severity
- Provides remediation guidance for every issue found
- Tracks header drift over time for compliance reporting
This makes it easy for your security and DevOps teams to harden your site, reduce risk, and stay PCI DSS–ready.
Final Thoughts
These headers aren’t just optional best practices — they’re essential defenses in a modern web application. Misconfigured or missing headers can expose your site to avoidable attacks that violate both user trust and compliance obligations.
With Breachfin, your headers are constantly checked, scored, and reported — so you’re never caught off guard.
Run a header audit now at breachfin.com and see what your site is missing.
