What “secure headers” actually buy you
Each header closes off a specific attack class. The analyzer scores presence and configuration, because a misconfigured header can score zero while looking present.
| Header | Defends against | The configuration that matters |
|---|---|---|
| Content-Security-Policy | XSS, data injection | Avoid unsafe-inline/unsafe-eval; prefer nonces or hashes |
| Strict-Transport-Security | Protocol downgrade, cookie theft | Long max-age, includeSubDomains, careful preload |
| X-Content-Type-Options | MIME sniffing | Exactly nosniff |
| X-Frame-Options / frame-ancestors | Clickjacking | DENY or SAMEORIGIN (CSP frame-ancestors supersedes it) |
| Referrer-Policy | Referer leakage | strict-origin-when-cross-origin is a sane default |
| Permissions-Policy | Unwanted camera/geo/USB access | Deny features you don’t use |
CSP: nonce vs hash vs the unsafe-inline shortcut
A Content-Security-Policy is only as strong as its weakest source. The three ways to allow inline scripts, from worst to best:
unsafe-inline— allows any inline script, which defeats the entire point of CSP. It’s the most common reason a site has a CSP header but no real XSS protection.- Hashes — you compute the SHA-256 of each known inline script and list it. Great for static pages; brittle if a script changes.
- Nonces — the server emits a fresh random
nonce-...per request and tags trusted<script nonce="...">tags with it. An injected script has no valid nonce and won’t run. This is the production-grade answer for dynamic apps.
If your CSP contains unsafe-inline next to a nonce, note that modern browsers ignore unsafe-inline when a nonce or hash is present — a deliberate fallback so older browsers degrade gracefully without weakening newer ones.
The modern headers most audits forget
Beyond the classic five, three newer headers harden cross-origin isolation:
- Cross-Origin-Opener-Policy (COOP) —
same-originsevers the window reference between your page and cross-origin popups, blunting a class of side-channel and tab-napping attacks. - Cross-Origin-Resource-Policy (CORP) — controls who can embed your resources, mitigating Spectre-style cross-origin reads.
- Cross-Origin-Embedder-Policy (COEP) — required, together with COOP, to unlock
SharedArrayBufferand high-resolution timers.
You don’t need all of them everywhere, but a perfect classic-header score with none of these is a 2018-grade configuration, not a 2026 one.
Where to grab the headers to paste here
The fastest source is DevTools: open the Network tab, reload, click the document request, and read the Response Headers pane. From a terminal, curl -sSI https://example.com prints them directly. Paste the block in — status line included or not, the parser handles both — and read the recommendations against the tables above.