HTTP security headers are special instructions in the server response that tell the browser how to work safely with the site. Properly configured headers block XSS, clickjacking, and sniffing. A few lines of code — big protection.
1. Strict-Transport-Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains
Tells the browser "always connect via HTTPS". Blocks fallback to HTTP and man-in-the-middle. One year recommended.
2. Content-Security-Policy (CSP)
Content-Security-Policy: default-src 'self'
The most powerful but complex. Defines which sources (scripts, images, styles) can be loaded. Almost entirely blocks XSS.
3. X-Frame-Options
X-Frame-Options: SAMEORIGIN
Blocks placing your site in another site's iframe (clickjacking).
4. X-Content-Type-Options
X-Content-Type-Options: nosniff
Blocks the browser from "guessing" file types. An uploaded .txt won't run as JS.
5. Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Limits how much data (referrer) is sent when navigating to another site.
6. Permissions-Policy
Permissions-Policy: geolocation=(), microphone=(), camera=()
Limits the site's access to camera, microphone, geolocation.
Apache setup (.htaccess)
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
In Nginx
add_header X-Frame-Options "SAMEORIGIN" always;
In PHP
header('X-Frame-Options: SAMEORIGIN');
Checking
1) securityheaders.com — grades your site (A+ to F). 2) Mozilla Observatory. 3) DevTools → Network → Response Headers.
CSP with care
If CSP is too strict, your own JS/CSS may stop working. First test in "Content-Security-Policy-Report-Only" mode.
Sayt.uz practice
Sayt.uz has HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and CSP configured. Grade A on securityheaders.com.