Back to course

Security Headers

TL;DR: Set X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security at minimum. These headers are free, take five minutes to add, and close real attack vectors.

your serverX-Frame-OptionsX-Content-TypeStrict-Transportbrowserblocks clickjackingblocks MIME sniffforces HTTPS

Security headers are instructions you send to the browser alongside your HTTP responses. They tell the browser how to behave when rendering your pages, which turns out to cover quite a few attack scenarios.

X-Content-Type-Options: nosniff stops the browser from guessing the content type of a response. Without it, a browser might execute a file uploaded as an image if it detects script-like content inside it.

X-Frame-Options: DENY prevents your pages from being embedded inside iframes on other sites. This is what blocks clickjacking, where an attacker overlays an invisible iframe on top of a legitimate button to trick users into clicking something they didn’t intend to.

Strict-Transport-Security tells the browser to only connect to your site over HTTPS, even if someone types http:// in the address bar. This prevents downgrade attacks and protects users on networks where someone might be intercepting unencrypted traffic.

app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  next();
});

If you’re using Express, the helmet package sets all of these and more with a single line. There’s no good reason not to use it.

Further reading: OWASP Secure Headers Project