Why Security Headers?
HTTP security headers instruct browsers to enable built-in protection mechanisms, defending against XSS, clickjacking, MIME sniffing, and other common attacks.
Essential Headers
Add to your Nginx server block:
# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# Prevent MIME type sniffing
add_header X-Content-Type-Options "nosniff" always;
# XSS protection
add_header X-XSS-Protection "1; mode=block" always;
# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Permissions policy
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self' data:;" always;HSTS (HTTP Strict Transport Security)
# Only add after confirming HTTPS works correctly
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;Hide Server Version
# In nginx.conf http block
server_tokens off;Testing
curl -I https://example.comCheck your score at securityheaders.com.