HTTP security headers, explained

By the zmam.ai team · 29 May 2026

Some security controls cost money, take months, and need specialists. HTTP security headers cost nothing, take minutes, and are added by editing a config file. They are short instructions your server attaches to every response telling the browser how to behave more safely — and their absence is one of the most common findings in any external review, precisely because they are so cheap that nobody prioritizes them.

The headers worth knowing

• Strict-Transport-Security (HSTS). Tells browsers to only ever connect over HTTPS, defeating downgrade attacks. Example: Strict-Transport-Security: max-age=31536000; includeSubDomains.
• Content-Security-Policy (CSP). Controls which sources of scripts, styles, and other resources the browser is allowed to load. It is one of the strongest browser-enforced mitigations for the impact of cross-site scripting (XSS) — alongside output encoding, safe templating, input sanitization, and dependency control, not a replacement for them — and, as we will see, it also limits the damage of malicious third-party code.
• X-Content-Type-Options: nosniff. Stops the browser from guessing (and mis-guessing) a response’s content type.
• Referrer-Policy. Limits how much referrer information leaks to other sites; strict-origin-when-cross-origin is a sensible default.
• Permissions-Policy. Switches off browser features you do not use — camera, microphone, geolocation.
• Anti-framing (frame-ancestors in CSP, or the older X-Frame-Options). Stops other sites from framing yours, defeating clickjacking.

How to check what you send

curl -sI https://example.com

The -I flag fetches only the response headers. Read them against the list above. Online “security header” graders show the same thing with a letter score.

The header that guards your supply chain

Here is the part most header guides miss. A strict CSP is not only an anti-XSS measure — it is your containment wall when third-party code turns hostile. When the polyfill.io supply-chain attack weaponized a script that hundreds of thousands of sites had loaded for years, a CSP with a tight script-src allowlist would have constrained where that script could send stolen data. Pair CSP with Subresource Integrity — an integrity= hash on third-party <script> tags — and a tampered file fails safe: the browser refuses to run it instead of silently executing malware. The code your site loads from someone else is part of your attack surface, and these two headers are how you keep a grip on it.

Getting CSP right

CSP is the most powerful header and the easiest to break your own site with. Deploy it in report-only mode first (Content-Security-Policy-Report-Only), watch what it would block, and only enforce once your legitimate resources all pass. A rushed, overly strict CSP will take down your own pages faster than any attacker.

How zmam.ai helps

zmam.ai checks which security headers your site returns and flags the important ones that are missing or weak. It reads only the headers your server already sends in response to a normal request.

Related

• How to check your SSL/TLS certificate
• How to tell if your website is exposed or compromised
• Field note: The worm that taught the supply chain to replicate itself