Sicherheits-Header Blog
Verständliche Anleitungen zum Verstehen, Implementieren und Beheben von HTTP-Sicherheits-Headern. Scanner.
Cache-Control: Protecting Sensitive Data
Proper caching is great for performance, but dangerous for security. Learn how to stop browsers and proxies from storing sensitive pages.
Content-Type: More Than Just Meta Data
Setting the Content-Type correctly is vital. If an image is processed as HTML, it can lead directly to XSS vulnerabilities.
COOP, COEP, and CORP: Modern Cross-Origin Isolation
Learn how the holy trinity of cross-origin headers protects your application against advanced CPU side-channel attacks like Spectre.
Expect-CT: Why It's Time to Remove It
The Expect-CT header was useful for enforcing Certificate Transparency, but modern browsers now mandate it by default. Here's why you should delete it.
Opting Out of FLoC (Federated Learning of Cohorts)
Protect your users' privacy by explicitly opting your site out of Google's controversial FLoC tracking system.
Public-Key-Pins (HPKP): A Cautionary Tale
HTTP Public Key Pinning (HPKP) was a powerful security header that backfired spectacularly. Learn why it was deprecated and what replaced it.
Secure File Download Headers
When serving user-uploaded files, you must ensure they don't accidentally execute malicious code in the browser. Here are the headers you need.
Set-Cookie: Hardening Session Management
While not strictly a security header, the security flags attached to your cookies are the only thing preventing catastrophic session hijacking.
Server Fingerprinting: Server, X-Powered-By, and X-AspNet
Exposing your tech stack makes it incredibly easy for attackers to find vulnerabilities. Learn how to remove informative headers.
X-Content-Type-Options: Stopping MIME Sniffing
Browsers love to guess what type of file they are downloading. Learn how the nosniff directive prevents MIME confusion attacks.
X-DNS-Prefetch-Control: Stopping Data Leaks
Browsers proactively resolve domain names to speed up page loads. Here's why you might want to turn that off.
X-Robots-Tag: Controlling Crawlers Securely
Ensure sensitive documents like PDFs or internal datasets stay out of Google Search by mastering the X-Robots-Tag HTTP header.
X-XSS-Protection: Why You Should Turn It Off
The X-XSS-Protection header used to be a best practice, but modern browsers have removed it. Learn why setting it to 0 is now the standard.
Referrer-Policy: Choosing the Right Value
Referrer-Policy controls how much of your URL gets shared when users navigate away from your site. Here's what each value means and which one to use.
Why Your Site is Stuck at Grade B (Most Common Misses)
Getting an A on a security header scan isn't hard - but several specific issues commonly cap sites at B or C. Here's what to check.
Security Headers Checklist for WordPress
How to add all six essential HTTP security headers to a WordPress site - using a plugin, your theme's functions.php, or your web server config (Nginx/Apache).
Best Security Header Scanners Compared (2026)
A fair comparison of the top free HTTP security header scanners: SecHead, Mozilla Observatory, securityheaders.com, and others. What each one checks and where each shines.
Security Headers Checklist for Next.js and Vercel
How to set all security headers in a Next.js application deployed on Vercel - using next.config.js, middleware, or vercel.json.
Permissions-Policy: What to Disable and Why
Permissions-Policy controls which browser APIs your page and embedded iframes can use. Here's what each feature does, which to block by default, and how to write the header.
X-Frame-Options vs frame-ancestors: What's the Difference?
Both X-Frame-Options and the CSP frame-ancestors directive protect against clickjacking. Learn which one to use, how they differ, and when to use both.
Do Security Headers Affect SEO Rankings?
Security headers don't directly improve your search rankings - but they affect Core Web Vitals, user trust signals, and crawl behavior in ways that do. Here's the real connection.
How to Fix 'unsafe-inline' in Your CSP
unsafe-inline in script-src disables most of CSP's XSS protection. This step-by-step guide shows you how to remove it using nonces or hashes without breaking your site.
Content-Security-Policy Explained for Beginners
CSP is the most powerful security header - and the most misunderstood. This guide explains what it does, how to write a policy, and the most common mistakes.
What is HSTS and Why Every Site Needs It
HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS. Here's what it does, why it matters, and the exact header value to use.
The Complete Security Headers Checklist (2026)
Every HTTP security header your site should have, what each one does, and the exact values to use. The definitive reference for developers and sysadmins.
Showing 26 of 26 articles