Security reference
Security Headers Reference
Review common website security headers and what they do in a quick browser-based reference built for developers, technical site owners, and security-minded workflows.
Common security headers
| Header | Main purpose |
|---|---|
| Content-Security-Policy | Controls where scripts, styles, images, and other resources can load from. |
| X-Content-Type-Options | Helps stop MIME-type sniffing when set to nosniff. |
| X-Frame-Options | Helps reduce clickjacking by limiting framing behavior. |
| Referrer-Policy | Controls how much referrer information browsers send on outbound requests. |
| Permissions-Policy | Restricts browser features such as microphone, camera, or geolocation. |
| Strict-Transport-Security | Forces browsers to prefer HTTPS after the first secure visit. |
| Cross-Origin-Resource-Policy | Controls which origins can load certain resources. |
| Cross-Origin-Opener-Policy | Helps isolate browsing contexts for stronger cross-origin protection. |
| Cross-Origin-Embedder-Policy | Works with other cross-origin headers for tighter isolation policies. |
- understanding the role of common security headers during site hardening
- reviewing header names quickly without digging through external docs
- supporting checklists for website launches, migrations, and technical audits