Utilumo
LightDarkSystem

Updated June 29, 2026

HTTP security headers reference

These response headers tell the browser to enforce extra safety rules. The values below are sensible, broadly safe defaults; review them against your site, especially the Content-Security-Policy, before enforcing.

Recommended headers

A starting set with safe default values.

HeaderExample valueProtects against
Strict-Transport-Securitymax-age=31536000; includeSubDomainsDowngrade to HTTP and cookie hijacking on insecure connections.
Content-Security-Policydefault-src 'self'; object-src 'none'; frame-ancestors 'none'Cross-site scripting and unwanted resource loading.
X-Content-Type-OptionsnosniffMIME-type sniffing that can run files as scripts.
X-Frame-OptionsDENYClickjacking via framing (older mechanism).
Referrer-Policystrict-origin-when-cross-originLeaking full URLs to other sites.
Permissions-Policycamera=(), microphone=(), geolocation=()Unwanted access to sensitive browser features.
Cross-Origin-Opener-Policysame-originCross-origin attacks that rely on sharing a browsing context.

Snippet: a Cloudflare Pages _headers file

Apply the headers to every route. Adjust the CSP for your assets.

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Frame-Options: DENY
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
Test CSP before enforcingA strict Content-Security-Policy can break scripts, styles, or embeds. Roll it out with Content-Security-Policy-Report-Only first, then enforce.

References

Questions

Do I need both X-Frame-Options and CSP frame-ancestors?

frame-ancestors in CSP is the modern, more flexible control. X-Frame-Options is kept for older clients, so setting both is reasonable during a transition.

Is enabling HSTS risky?

HSTS is safe for sites fully served over HTTPS. Be cautious with includeSubDomains and the preload option, since they are hard to reverse quickly if a subdomain still needs HTTP.