Updated June 29, 2026
HTTP security headers reference
These response headers tell the browser to enforce extra safety rules. The values below are sensible, broadly safe defaults; review them against your site, especially the Content-Security-Policy, before enforcing.
Recommended headers
A starting set with safe default values.
| Header | Example value | Protects against |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains | Downgrade to HTTP and cookie hijacking on insecure connections. |
Content-Security-Policy | default-src 'self'; object-src 'none'; frame-ancestors 'none' | Cross-site scripting and unwanted resource loading. |
X-Content-Type-Options | nosniff | MIME-type sniffing that can run files as scripts. |
X-Frame-Options | DENY | Clickjacking via framing (older mechanism). |
Referrer-Policy | strict-origin-when-cross-origin | Leaking full URLs to other sites. |
Permissions-Policy | camera=(), microphone=(), geolocation=() | Unwanted access to sensitive browser features. |
Cross-Origin-Opener-Policy | same-origin | Cross-origin attacks that rely on sharing a browsing context. |
Snippet: a Cloudflare Pages _headers file
Apply the headers to every route. Adjust the CSP for your assets.
/*
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'Test CSP before enforcingA strict Content-Security-Policy can break scripts, styles, or embeds. Roll it out with
Content-Security-Policy-Report-Only first, then enforce.References
Questions
Do I need both X-Frame-Options and CSP frame-ancestors?
frame-ancestors in CSP is the modern, more flexible control. X-Frame-Options is kept for older clients, so setting both is reasonable during a transition.
Is enabling HSTS risky?
HSTS is safe for sites fully served over HTTPS. Be cautious with includeSubDomains and the preload option, since they are hard to reverse quickly if a subdomain still needs HTTP.