Security headers are your first line of defense. At Google, every response includes these headers.
Content-Security-Policy (CSP)
The most powerful security header. Controls what resources can load on your page.
Essential Headers
| Header | Value | Purpose |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains | Force HTTPS for 1 year |
| X-Content-Type-Options | nosniff | Prevent MIME type sniffing |
| X-Frame-Options | DENY | Prevent clickjacking |
| Referrer-Policy | strict-origin-when-cross-origin | Control referrer info |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Disable unused APIs |
| Cross-Origin-Opener-Policy | same-origin | Isolate browsing context |
| Cross-Origin-Embedder-Policy | require-corp | Prevent loading cross-origin without CORS |
Implementation
Testing Your Headers
- Use securityheaders.com for a quick grade
- Chrome DevTools → Network → Response Headers
- Use Report-URI or report-to for CSP violation monitoring