HTTP security headers explained (HSTS, CSP, and more)

What are HTTP security headers?

Every time you open a web page, the server sends back the page plus a set of instructions called response headers. A handful of these are security headers: they tell your browser to behave more safely - refuse insecure connections, block risky scripts, and stop other sites from misusing the page. They're invisible to visitors but make a real difference to how safe a site is.

The headers that matter

• Strict-Transport-Security (HSTS). Forces browsers to use HTTPS, so the connection can't be silently downgraded to unencrypted.
• Content-Security-Policy (CSP). Controls what a page is allowed to load - the single strongest defence against cross-site scripting (XSS), where an attacker injects malicious code.
• X-Content-Type-Options: nosniff. Stops the browser from "guessing" a file's type and running it as something dangerous.
• X-Frame-Options / frame-ancestors. Stops other sites from embedding the page in a hidden frame to trick you into clicking (clickjacking).
• Referrer-Policy. Limits how much address information leaks when you follow a link away from the site.
• Permissions-Policy. Restricts powerful features like camera, microphone, and location.

Why they matter to you

You don't set these headers - website owners do. But they're a useful signal of how seriously a site takes security. A bank or shop missing the basics (especially HSTS and CSP) is a small yellow flag. They are not a verdict on safety: a site can have perfect headers and still be a scam, or miss a few and be perfectly legitimate. Treat them as one input, not the whole picture.

Check any site's headers

Our Security Headers Checker fetches a site, grades the headers above from A+ to F, and explains what each one does and what's missing - in plain language. If you run a website, it's a quick way to spot easy wins. Pair it with the SSL/TLS Checker for the encryption side.