Content-Security-Policy
critical

Controls which resources the browser can load. Mitigates XSS and data injection attacks.

Recommended: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Strict-Transport-Security
critical

Forces HTTPS connections. Prevents protocol downgrade attacks and cookie hijacking.

Recommended: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options
high

Prevents MIME-type sniffing. Reduces drive-by download attacks.

Recommended: nosniff
X-Frame-Options
high

Controls whether the page can be embedded in iframes. Prevents clickjacking.

Recommended: DENY
X-XSS-Protection
low

Legacy XSS filter for older browsers. Modern browsers rely on CSP instead.

Recommended: 0
Referrer-Policy
medium

Controls how much referrer information is shared with other sites.

Recommended: strict-origin-when-cross-origin
Permissions-Policy
medium

Controls browser features like camera, microphone, geolocation.

Recommended: camera=(), microphone=(), geolocation=()
Cross-Origin-Opener-Policy
medium

Isolates browsing context. Prevents Spectre-like side-channel attacks.

Recommended: same-origin
Cross-Origin-Resource-Policy
medium

Controls which origins can load your resources.

Recommended: same-origin
Cross-Origin-Embedder-Policy
low

Controls embedding of cross-origin resources. Required for SharedArrayBuffer.

Recommended: require-corp
browserutils
Security Headers Checker