5 Security Headers Your Website Must Have

Security headers are HTTP response headers that tell your browser how to behave when handling your website's content. They're one of the easiest and most effective ways to protect your users from common web attacks — yet most websites don't have them properly configured.

In this post, we'll cover the five security headers every website should implement, why they matter, and how Sentinel can help you audit your setup.

1. Content Security Policy (CSP)

CSP is your first line of defense against Cross-Site Scripting (XSS) attacks. It lets you define which sources of content (scripts, styles, images, fonts) are allowed to load on your page.

Without CSP, an attacker who injects a malicious script tag into your page gets full access to the DOM. With CSP, you can tell the browser: "Only execute scripts from my own domain."

• Example: Content-Security-Policy: default-src 'self'
• Risk if missing: High — XSS, data theft, defacement

2. HTTP Strict Transport Security (HSTS)

HSTS forces browsers to only connect to your site over HTTPS, even if the user types http:// or clicks an old HTTP link. This prevents man-in-the-middle attacks and protocol downgrade attacks.

The browser remembers this directive for the duration you specify (max-age), and refuses to load your site over an insecure connection — even on first visit if you use the preload directive.

• Example: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
• Risk if missing: High — SSL stripping, MITM attacks

3. X-Frame-Options

X-Frame-Options prevents your website from being embedded in an iframe on another domain. This stops "clickjacking" attacks, where an attacker overlays invisible buttons on top of your site in a transparent iframe to trick users into performing actions they didn't intend.

• Example: X-Frame-Options: DENY or SAMEORIGIN
• Risk if missing: Medium — clickjacking, UI redress attacks

4. X-Content-Type-Options

Browsers sometimes try to "sniff" the MIME type of a response by looking at its content, ignoring the Content-Type header. This can allow attackers to upload a malicious file that browsers interpret as executable JavaScript or HTML.

X-Content-Type-Options: nosniff tells the browser to trust the declared Content-Type and never MIME-sniff.

• Example: X-Content-Type-Options: nosniff
• Risk if missing: Medium — MIME-type confusion attacks

5. Permissions-Policy (formerly Feature-Policy)

Permissions-Policy gives you fine-grained control over which browser APIs and features your site (and any embedded third-party content) can use. You can disable camera, microphone, geolocation, and other powerful APIs that your site doesn't need — reducing your attack surface.

• Example: Permissions-Policy: camera=(), microphone=(), geolocation=()
• Risk if missing: Low-Medium — unauthorized access to device features

How Sentinel Can Help

Checking all these headers manually on every page is tedious. That's why we built Sentinel — a fast, free security header checker that scans your website and gives you a clear score with actionable recommendations.

With Sentinel's free tier, you get 5 checks per day. Upgrade to Pro for unlimited checks, priority support, and detailed reporting.