Security Headers Checklist: HSTS + CSP (and what to break-test before launch)

 Security headers play a crucial role in protecting modern websites from common attacks and data leaks. Before launching a site, it’s important to review key protections like Content Security Policy (CSP) and properly enable HSTS to enforce secure HTTPS connections. A structured checklist helps developers confirm that these headers are configured correctly and tested thoroughly before deployment. 

Why Security Headers Matter 

Security headers play a vital role in safeguarding both websites and their users against frequently encountered web attacks. When a website lacks these headers, browsers may end up trusting almost all the content the site loads, which can lead to the execution of malicious scripts or invisible iframes without being noticed.  

Such areas of trust can be exploited by attackers to embed dangerous code, acquire login details, or deceive users into carrying out actions they did not intend. By setting security headers, a website owner is instructing the browser to implement very strict rules, and any suspicious behavior is detected and blocked even before it can cause harm.  

Security headers or the set of rules specified by the website through headers help to avoid the above mentioned, and more threats such as Cross, Site Scripting (XSS), clickjacking and HTTPS-to-HTTP downgrade attacks, where attackers downgrade secure HTTPS connections to HTTP.  

Additionally, they regulate the exposure of information through referrer data. Properly setting security headers is akin to a crucial security defense layer that website owners can rely on for their applications. 

The Must-Have Security Headers Checklist  

1. Content-Security-Policy (CSP)

Content-Security-Policy (CSP) is certainly one of the strongest defenses you can set up via security headers. With CSP, you essentially specify which resources your website can use for loading, for example, scripts, images, stylesheets, and fonts. By listing trusted sources, you make a sort of a whitelist to which the browser will have to conform. This feature is crucial, in particular, for thwarting Cross-Site Scripting (XSS) attacks when hackers attempt to insert harmful scripts into your website. To illustrate the point, a directive such as : 

Content-Security-Policy: default, src ‘self’; script, src ‘self’ https://apis.google.com  

Restricts the browser to load resources only from your domain by default, and allows the running of scripts only from your domain and Google APIs. 

2. HTTP Strict-Transport-Security (HSTS)

HTTP Strict Transport Security (HSTS) forces browsers to use a secure HTTPS connection when accessing your website. When a browser sees this header, it will change any subsequent HTTP requests to HTTPS requests for a certain duration. This not only helps freeze attacks that try to trick the user into switching to an insecure protocol, but also protects the communication between the user and the attacker from being read or tampered with when using an unsecured connection: 

For example, Strict-Transport-Security: max-age=31536000; includeSubDomains; preload enforces HTTPS for one year, applies the rule to all subdomains, and allows your site to be added to browser preload lists.m 

3. X-Frame-Options

The X-Frame-Options header is used to determine if your website can be shown within frames. The reason for the protection is to combat clickjacking attacks, whereby the harmful sites try to fool users into clicking hidden elements by putting your page inside another page.  

By setting X-Frame-Options: DENY, you prohibit your site from being embedded anywhere, whereas SAMEORIGIN permits framing only within the pages on the same domain. Even though this header is still very much in use, the modern ones are usually based on the frame-ancestors directive in Content Security Policy, which offers more flexibility. 

4. X-Content-Type-Options 

The X-Content-Type-Options header is a very helpful tool to prevent a security vulnerability called MIME sniffing. A browser, by default, might decide to ‘guess’ the type of a file in case the server hasn’t clearly stated the content type. A malicious user can take advantage of this ‘guessing’ feature by coding harmful scripts and presenting them as harmless files, e.g., images.  

By applying X-Content-Type-Options: nosniff, you are telling the browser to strictly adhere to the server’s specified content type and not attempt to guess it. Such a simple header makes it very difficult for attackers to succeed, as it basically ensures that a file gets processed only as the declared one. 

5. Referrer-Policy

The Referrer-Policy header defines the amount of data, regarding the last visited page, that will be disclosed when a user clicks a link to a different site. If not regulated, URLs might even include private information like tokens or query parameters, could be leaked to third-party websites.  

By using a policy like Referrer-Policy,: strict-origin-when-cross-origin, it gives the full URL if the user is going to a page within the same site.. It does that by making user privacy better and also reducing the potential for giving out user-sensitive information. 

How to Implement Security Headers 

There are many different ways to set up security headers on a website that you want to protect. It depends on the nature of your web application, and it could be through web-server configuration, inserting them into the application code, or via framework settings. Which approach you should take depends on your system architecture and hosting environment. 

Web Server Configuration (Nginx) 

If you happen to use Nginx, you may add security headers straight to the server configuration file. By doing so, these headers will be applied to the server in such a way that every request to your website will naturally have them included. This method is quite straightforward and dependable to enhance security and support HSTS together with other defensive headers. 

 

# In your server block for example.com 

server { 

    listen 443 ssl; 

    server_name example.com; 

    add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always; 

    add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’; object-src ‘none’;” always; 

    add_header X-Frame-Options “DENY” always; 

    add_header X-Content-Type-Options “nosniff” always; 

    add_header Referrer-Policy “strict-origin-when-cross-origin” always; 

    add_header Permissions-Policy “camera=(), microphone=()” always; 

} 

Web Server Configuration (Apache) 

In the case of the websites hosted on Apache, they can have the security headers implemented by utilizing the mod_headers module. These configurations can either be added to the server’s VirtualHost settings or even the .htaccess file. After the changes have been made, Apache will on its own include the specified headers to every response that is sent to the users. 

 

# In your VirtualHost configuration or .htaccess file 

<IfModule mod_headers.c> 

    Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” 

    Header always set Content-Security-Policy “default-src ‘self’; script-src ‘self’; object-src ‘none’;” 

    Header always set X-Frame-Options “DENY” 

    Header always set X-Content-Type-Options “nosniff” 

    Header always set Referrer-Policy “strict-origin-when-cross-origin” 

    Header always set Permissions-Policy “camera=(), microphone=()” 

</IfModule> 

 

Application-Level Implementation (Node.js with Helmet) 

If your app is running a Node.js and Express technology stack, you can implement security headers by directly embedding them inside your code with the help of the Helmet middleware. By default, Helmet sets multiple critical headers with secure default values, which effectively secures your app with minimum effort. 

 

const express = require(‘express’); 

const helmet = require(‘helmet’); 

const app = express(); 

app.use(helmet()); // Sets sensible defaults for multiple security headers 

// Custom configuration example 

app.use(helmet.contentSecurityPolicy({ 

  directives: { 

    defaultSrc: [“‘self'”], 

    scriptSrc: [“‘self'”, “trusted-scripts.com”], 

  } 

})); 

app.listen(3000); 

Using Helmet allows developers to manage security policies directly inside the application. 

Frontend Frameworks (Next.js)

 

Next.js and other recent frameworks strongly support the addition of security headers via configuration files. You can be sure that every page of your site will carry the security headers simply by specifying the headers in next.config.mjs. 

 

// next.config.mjs 

const securityHeaders = [ 

  { 

    key: ‘Strict-Transport-Security’, 

    value: ‘max-age=31536000; includeSubDomains; preload’ 

  }, 

  { 

    key: ‘X-Frame-Options’, 

    value: ‘DENY’ 

  }, 

  { 

    key: ‘X-Content-Type-Options’, 

    value: ‘nosniff’ 

  }, 

  { 

    key: ‘Referrer-Policy’, 

    value: ‘strict-origin-when-cross-origin’ 

  } 

] 

 

export default { 

  async headers() { 

    return [ 

      { 

        source: ‘/:path*’, 

        headers: securityHeaders, 

      }, 

    ]; 

  }, 

}; 

 

This method works particularly well for modern web applications since the majority of the logic is implemented by the framework. 

Testing and Validating Your Headers 

Adding security headers is one of the vital steps. Still, you should do everything to secure them from leaking. Testing verifies that the right security headers are in place, sent with each request by default. You can perform this either by straightforward manual inspection or by investing in automated software that scrutinizes your site for security problems. 

Manual Testing 

Checking your headers is pretty straightforward if you take advantage of browser developer tools. Just open your browser’s developer tools, switch to the Network tab, refresh your page, and then click on the main page request.  

Within the response panel, you’ll have a chance to view all the headers your server is dispatching. This is a real time saver for checking at a glance if your security headers are correctly set up. Even faster is simply opening your terminal and using curl.  

By running a command like curl-I https://your-site.com, you are able to immediately see the response headers that your server sends back. This approach is great for developers who need a quick way to verify header setup without launching a browser. 

Automated Tools 

Manual checks are admittedly helpful. However, automated tools can not only bring more depth to the insights obtained but also function as a continuous monitoring system. 

Such tools keep an eye on your website’s security headers automatically and send you alerts if you have left something out or made a wrong configuration. 

That way, you can be sure that your security settings will remain in force even after some time has elapsed. A very handy tool is Google’s CSP Evaluator, which dissects your Content Security Policy and spots potential issues or errors in your setup. If you make it a habit of using such tools, then you will be able to keep a secure site and have your headers operate exactly as you meant them to. 

Common Pitfalls & Solutions 

Security headers are very effective, but if configured improperly, they may bring about some unexpected problems. Many developers encounter minor hiccups when they are first adding them, especially with the strictest policies. The great news is that such problems are commonly solved with quite straightforward solutions. 

When Your CSP Blocks Your Own Scripts 

One of the usual complications is that your Content Security Policy (CSP) might be over restrictive. If the policy only permits a small number of sources, the browser can disallow scripts or other resources that your app itself relies on to work.  

Subsequently, some of your web pages may not function properly. The best way to approach such an issue is to begin with a less strict policy and make it more restricted as you discover the sources your site needs.  

Besides, it is possible to keep an eye on what is being blocked with the reporting capabilities, like the report-uri or report-to directives. These reports will let you know which resources are being blocked so you can make the necessary adjustments to the policy with peace of mind.  

When HSTS Causes Problems During Development 

Another frequent issue arises when HSTS (HTTP Strict Transport Security) is turned on in a development environment. The browser, after getting the HSTS header, might not accept a connection to the site over HTTP.  

If your development environment doesn’t support HTTPS, this can really complicate local testing. The easiest fix is to not set the max-age value to be very long or the preload directive in the non-production environments.  

For testing, pick a short period like max- age=3600, which means the instruction is valid for just one hour. You get to experiment with your security configurations without the development flow getting disrupted permanently. 

Effective HSTS+CSP Best Practices 

Implementing HSTS and CSP simultaneously can make your website security a lot stronger. HSTS guarantees that your website will always be accessed via HTTPS by browsers, which stops the possibility of downgrade attacks and protects your data during transmission.  

On the other hand, CSP works together with HSTS by giving you a way to specify which scripts, images, and other resources the browser can load, thus limiting the chances of Cross-Site Scripting attacks.  

Ideally, you should start your CSP policy by allowing only trusted sources, then, as you become more comfortable, you can tighten the policy more and more. In the meantime, adjust your HSTS to have a reasonable max age and only include the subdomains after you have tested. These headers combined make a strong defense layer that not only protects your application but also your users. 

Conclusion 

One of the most effective things you can do to safeguard your site and visitors against typical web dangers is to put in place robust security headers. Adhering to CSP guidelines can guarantee that the browser lets only reliable resources execute, thereby minimizing the potential of harmful code injection and other types of assaults.  

Likewise, having an appropriate security headers checklist ready for the launch permits you to double-check that all the vital safeguards, such as HSTS, CSP, and corresponding policies, are properly set up and taken through the testing phase, thus resulting in a more secure and durable web application. 

FAQs  

What role does CSP play Prevent XSS CSP? 

 

CSP limits script sources, thus preventing XSS attacks by disallowing scripts from untrusted sources and prohibiting the running of malicious injected code.  

 

How is HSTS configured in Cloudflare?  

 

By turning on HTTPS enforcement via Cloudflare HSTS settings options, you essentially tell browsers to always make a secure connection through HTTPS.  

 

What is a very simple example of Content Security Policy?  

 

One of the simplest Content-Security-Policy header example could be: default-src-self’-script-src-self’. Which means allowing scripts and other resources only from your own domain.  

 

Is it necessary to test CSP before live deployment?  

 

Definitely, start with the report, the only mode to find out which resources are being blocked, modify allowed sources, and avoid inadvertently breaking your scripts or the site functionality.  

 

Are security headers capable of reducing website performance?  

 

Security headers usually do very little to slow down performance, but on the other hand, they provide a great defense against XSS, clickjacking, and data theft vulnerabilities.