_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

HTTP Security Headers — Complete Overview

28. 11. 2025 1 min read intermediate

Proper HTTP security headers are the cheapest security measure. One line of configuration can stop entire categories of attacks.

Complete Set — Nginx

add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always; add_header X-Frame-Options “DENY” always; add_header X-Content-Type-Options “nosniff” always; add_header Referrer-Policy “strict-origin-when-cross-origin” always; add_header Permissions-Policy “camera=(), microphone=(), geolocation=()” always; add_header Content-Security-Policy “default-src ‘self’” always; add_header Cross-Origin-Opener-Policy “same-origin” always;

What Each Header Does

  • HSTS: Enforces HTTPS, prevents SSL stripping
  • X-Frame-Options: Prevents clickjacking
  • X-Content-Type-Options: Prevents MIME sniffing
  • Referrer-Policy: Controls Referer header
  • Permissions-Policy: Limits access to APIs (camera, GPS)

Testing

curl -I https://example.com

Online: securityheaders.com, observatory.mozilla.org

Key Takeaway

Add all security headers. Takes 5 minutes, protects against clickjacking, XSS, MIME sniffing.

securityhttpheadersweb
Share:

CORE SYSTEMS tým

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Všechny články

Další know-how

Burp Suite Basics — Web Security Testing

How to use Burp Suite for web application testing.

OWASP Top 10 — Web Application Security

OWASP recommendations in Java EE. SQL injection, XSS, CSRF, and how to defend against them.

Content Security Policy (CSP) — A Practical Guide

CSP header pro ochranu proti XSS. Direktivy, nonce, reporting.