HTTP Security Headers: The Complete 2026 Checklist
Missing security headers are one of the most common and easily fixed OWASP vulnerabilities. Here's every header you should have, what it does, and how to implement it.
Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS for your domain. Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Once set, browsers won't make HTTP requests to your domain — critical for preventing downgrade attacks.
Content-Security-Policy (CSP)
Defines which sources browsers are allowed to load for scripts, styles, images, and other resources. A proper CSP is your most powerful defense against XSS. Start with default-src 'self' and add exceptions as needed.
X-Frame-Options
Prevents your pages from being embedded in iframes on other domains — the primary defense against clickjacking. Set to DENY unless you specifically need to allow framing.
Check your security headers in 10 seconds.
UebGuard scans your domain and shows every missing or misconfigured security header — free.
No credit card required. Results in 10 seconds.
X-Content-Type-Options
Prevents MIME-type sniffing. Set to nosniff. This stops browsers from interpreting files as a different MIME type than declared, preventing certain content injection attacks.
Referrer-Policy
Controls how much referrer information is included with requests. strict-origin-when-cross-origin is the recommended balance between analytics usefulness and privacy.
Permissions-Policy
Restricts which browser features your site can use — camera, microphone, geolocation. Minimize exposed attack surface by explicitly disabling features you don't use.
Check your security headers in 10 seconds.
UebGuard scans your domain and shows every missing or misconfigured security header — free.
No credit card required. Results in 10 seconds.