Skip to main content

Category

Security Headers

HTTP response headers that harden your site against common attacks.

Security Headers

Common Security Header Mistakes (and How to Avoid Them)

Security headers are powerful but easy to misconfigure. A policy that looks present may be doing nothing — or quietly breaking pages. This…

Intermediate 9 minutes
Security Headers

Content Security Policy (CSP): Stop XSS at the Browser

CSP lets you declare trusted sources for each type of content. The browser blocks anything outside that policy, dramatically reducing the i…

Advanced 14 minutes
Security Headers

Cross-Origin-Embedder-Policy (COEP): Controlling What You Embed

COEP ensures a document only loads cross-origin resources that have explicitly allowed themselves to be embedded. Together with COOP it cre…

Advanced 8 minutes
Security Headers

Cross-Origin-Opener-Policy (COOP): Isolating Your Browsing Context

COOP lets a page sever the JavaScript reference between itself and other windows unless they share the same origin. This isolation blocks a…

Advanced 8 minutes
Security Headers

Cross-Origin-Resource-Policy (CORP): Who May Embed Your Resources

CORP is set on individual resources (images, scripts, JSON) to say which origins are allowed to embed them. It reduces resource theft and c…

Intermediate 7 minutes
Security Headers

HSTS: HTTP Strict Transport Security Explained

The Strict-Transport-Security header instructs browsers to remember that your site is HTTPS-only for a set duration. This closes the small…

Intermediate 9 minutes
Security Headers

HTTP Security Headers: The Complete Overview

A small set of response headers — HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-P…

Intermediate 12 minutes
Security Headers

Permissions-Policy: Locking Down Powerful Browser Features

Permissions-Policy declares which powerful browser capabilities your pages — and any iframes they embed — are allowed to use. Turning off u…

Intermediate 7 minutes
Security Headers

Referrer-Policy: Controlling What You Leak in Links

When a visitor navigates from your site to another, the browser can send your page's full URL as the referrer. Referrer-Policy limits this…

Beginner 6 minutes
Security Headers

X-Content-Type-Options: Stopping MIME Sniffing

Without this header, browsers may ignore your declared Content-Type and infer their own — occasionally treating an image or text file as ex…

Beginner 5 minutes
Security Headers

X-Frame-Options: Preventing Clickjacking

Clickjacking loads your real site inside an invisible frame on an attacker's page so users unknowingly click your buttons. X-Frame-Options…

Beginner 6 minutes

Check your website

See how your site performs on these checks with a free scan.

Free website scan