Skip to content
Latchkey

What Is a Security Header? HTTP Headers That Harden a Site

A security header is an HTTP response header that tells the browser to enforce a protection, hardening a site against common web attacks.

Security headers are an easy, high-impact way to make a web app safer. By adding a few HTTP response headers, you instruct the browser to enforce protections like blocking mixed content, framing, or untrusted scripts. They cost almost nothing to add but close off whole classes of attacks, which is why CI checks often verify them.

What security headers do

When the browser receives a response, security headers tell it how to behave: which scripts to trust, whether the page may be framed, and whether to upgrade connections to HTTPS. The browser enforces these rules, so the protection runs on the client.

The key headers

  • Content-Security-Policy: restricts which scripts and resources may load.
  • Strict-Transport-Security: forces HTTPS for future visits.
  • X-Content-Type-Options and X-Frame-Options: block MIME sniffing and clickjacking.

Content Security Policy

CSP is the most powerful security header. By declaring exactly which sources of scripts, styles, and other resources are allowed, it sharply limits the impact of cross-site scripting, since injected scripts from unapproved sources simply do not run.

HSTS and transport

Strict-Transport-Security tells the browser to always use HTTPS for the site, preventing downgrade attacks and accidental plaintext connections. Once set, the browser refuses to talk to the site over plain HTTP.

Security headers in CI/CD

Because headers are simple to verify, a CI step can assert they are present and correct on every deploy. Automated checks catch a regression, like a dropped CSP, before it reaches users, turning a one-time setup into an ongoing guarantee.

Low effort, high value

Few defenses offer as much protection per line of config as security headers. Setting them correctly and verifying them in the pipeline is a fast win that hardens every page a deploy ships.

Key takeaways

  • Security headers instruct the browser to enforce protections against web attacks.
  • Key ones include CSP, Strict-Transport-Security, and anti-framing headers.
  • They are cheap to add and easy to verify in CI on every deploy.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →