Security HTTP headers-prevent attacks and protect browsers
Configure Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, and other security headers.
UnderHost NOC
Network Operations
On this page
Security HTTP headers tell browsers how to handle your site: block clickjacking, prevent MIME type sniffing, enforce HTTPS, and limit data collection. They're invisible to users but critical for protection.
Essential security headers
Strict-Transport-Security (HSTS)
Force HTTPS for all future visits (30 days):
Strict-Transport-Security: max-age=31536000; includeSubDomainsContent-Security-Policy (CSP)
Block inline scripts and only allow scripts from your domain:
Content-Security-Policy: default-src 'self'; script-src 'self'X-Frame-Options
Prevent clickjacking by blocking iframe embedding:
X-Frame-Options: SAMEORIGINX-Content-Type-Options
Prevent MIME type sniffing attacks:
X-Content-Type-Options: nosniffReferrer-Policy
Control referrer information:
Referrer-Policy: strict-origin-when-cross-originAdd headers to your site
Via .htaccess (Apache)
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "default-src 'self'"
</IfModule>Via Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";Test your headers
Check which headers your site sends:
curl -I https://yourdomain.comOr use online tool: securityheaders.com
Use Content-Security-Policy-Report-Only first to test without blocking content. Switch to enforce after validation.
Related: SSL errors | TLS versions
Need security-focused hosting?
UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.
