// Learn

What are security headers?

Security headers are HTTP response headers that tell browsers how to behave when loading your site, reducing the risk of common attacks.

The short version

When your browser loads a web page, the server sends back the page content plus a set of headers. Most headers are mundane (content type, cache settings), but some are specifically about security. They tell the browser things like: don't load this page inside someone else's iframe, don't try to guess the file type, only connect over HTTPS.

Without these headers, your site is more vulnerable to attacks like clickjacking, MIME sniffing, and man-in-the-middle interception. Adding them is straightforward and costs nothing.

How it works

The main security headers and what they do:

  • X-Frame-Options: prevents your site from being embedded in an iframe on another site. This blocks clickjacking, where an attacker overlays your page with invisible controls. Set to SAMEORIGIN to allow only your own site to frame your pages.

  • X-Content-Type-Options: set to nosniff. Stops browsers from guessing the MIME type of a file. Without this, a browser might treat a text file as executable JavaScript.

  • Strict-Transport-Security (HSTS): tells the browser to only connect over HTTPS, even if someone types http://. Includes a max-age (how long to remember this rule) and optionally includeSubDomains.

  • Referrer-Policy: controls how much URL information is sent when a user clicks a link to another site. strict-origin-when-cross-origin is a good default: sends the origin (your domain) but not the full path.

  • Permissions-Policy: disables browser features your site doesn't use. Camera, microphone, geolocation, interest-cohort tracking. If you're not using them, turn them off explicitly.

In a Next.js app, you configure these in next.config.ts using the headers() function. Other frameworks have their own methods, but the headers themselves are the same everywhere.

Why it matters

Security headers are a quick win. They take minutes to add, cost nothing, and close off entire categories of attack. Most security scanners check for them, and missing headers show up as findings in any audit. If you have a deployed website, adding these should be on your list.

=++==+==++=

//Read more

fundamentalsWhat is an API?APIs let software talk to other software. They're how everything on the internet connects.workflowsWhat is deployment?Deployment is how code on your computer becomes a live website or service that others can use.fundamentalsWhat is DNS?DNS translates domain names into IP addresses. It's how your browser finds websites.fundamentalsWhat is authentication?Authentication is how systems verify you are who you say you are.