How do I add security headers to my site?

For Next.js: add headers in next.config.js under the headers() function. For Nginx: add header directives in your server block. For Apache: use mod_headers. For Cloudflare: use Transform Rules or Workers. Test with securityheaders.com after implementation.

HTTP Headers Inspection: What Every Response Header Means

Security Headers You Should Have

Content-Security-Policy (CSP): restricts which resources can load. Strict-Transport-Security (HSTS): forces HTTPS. X-Content-Type-Options: nosniff prevents MIME sniffing. X-Frame-Options: DENY prevents clickjacking. Referrer-Policy: controls referrer information sent with requests. Permissions-Policy: restricts browser features (camera, mic, geolocation).

Caching Headers

Cache-Control: max-age, no-cache, no-store, public, private. ETag: unique identifier for a specific version of a resource. Last-Modified: timestamp of last modification. Proper caching headers are critical for performance — images and static assets should cache for long periods; HTML should use shorter or no cache.

Debugging with Headers

Status codes tell you what happened (200 OK, 301 redirect, 404 not found, 500 server error). Location header shows redirect destination. Content-Type shows MIME type being served. Server header reveals web server type (Nginx, Apache, Cloudflare). X-Cache: HIT/MISS tells you if CDN served the request.

HTTP Headers Inspection: What Every Response Header Means

Security Headers You Should Have

Caching Headers

Debugging with Headers

Frequently Asked Questions

Inspect HTTP headers

Related Posts