Security Headers Minimum Baseline

Start with this minimum set and evolve policy strength as your surface area grows.

1. Use HSTS with long max-age after HTTPS rollout is stable.

2. Add CSP with report-only first, then enforce with measured rollout.

3. Set `X-Content-Type-Options: nosniff` on all responses.

4. Prevent framing with `frame-ancestors` or X-Frame-Options fallback.

5. Keep `Referrer-Policy` strict enough for privacy-sensitive routes.

6. Validate headers on root, auth, API, and error pages.

Implementation notes

Treat baseline headers as a deployment contract. Run automated header checks after each release and compare against expected values to catch accidental proxy or framework-level overrides.

Header Analyzer
HSTS Checker
CSP Checker

FAQ

Do all pages need the same headers? Core security headers should be consistent, with narrow exceptions documented.

Is X-XSS-Protection still required? It is legacy, but many teams keep it for compatibility with older environments.

Security Headers Minimum Baseline

Implementation notes

Related pages

FAQ