Security Headers Every Website Needs in 2026

Security Headers Every Website Needs in 2026

DevToolKit

A practical guide to the security headers that actually matter.

HSTS (Strict-Transport-Security)

Forces HTTPS. Without it, users can be MITMed.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy

Controls resource loading. Prevents XSS.

Content-Security-Policy: default-src self; script-src self

X-Content-Type-Options

Prevents MIME sniffing. One line, zero config.

X-Content-Type-Options: nosniff

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Permissions-Policy: camera=(), microphone=(), geolocation=()

Check Your Headers

curl -I https://yoursite.com

# Or use a security scanner:
curl http://5.78.129.127/api/headers/inspect?url=https://example.com

→ Full security scan with letter grade

More tools at DevToolKit

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org