What is Security Headers (HTTP)?
Turkish: Güvenlik Başlıkları
Security headers are HTTP response rules that tell browsers how to load and protect a page, reducing XSS and clickjacking risk.
What are Security Headers?
Security headers are HTTP response headers sent by a web server to the browser. The browser uses them to decide which resources a page may load, whether the page may be embedded inside another site, and whether the site must be accessed only over HTTPS.
They do not fix vulnerable application code by themselves, but they add a browser-enforced defense layer. Missing or weak headers increase the attack surface on pages with user sessions, payment forms, admin panels, and sensitive forms.
Common Security Headers
- Content-Security-Policy: Restricts script, style, image, and connection sources.
- Strict-Transport-Security: Forces the browser to use HTTPS for the site.
- X-Frame-Options or frame-ancestors: Limits embedding to reduce clickjacking risk.
- X-Content-Type-Options: Prevents browser MIME sniffing.
- Referrer-Policy: Controls which referrer information is sent to other sites.
- Permissions-Policy: Restricts browser features such as camera, microphone, and location.
Business Use
Security headers are usually configured at the CDN, reverse proxy, web server, or application framework level. An e-commerce checkout may need a stricter CSP, while marketing pages often require carefully scoped exceptions for analytics and advertising scripts.
A solid setup is tested in report-only mode, monitored against real user errors, and tightened by removing unnecessary permissions. The goal is to reduce the impact of attacks such as XSS and make browser security features part of the application design.
Related Terms
Clickjacking tricks users into clicking hidden or disguised interface elements, often by framing a trusted page inside another site.
CSP (Content Security Policy)CSP tells the browser which scripts, styles, images, and connections are allowed, limiting the impact of XSS and injection flaws.
XSS (Cross-Site Scripting)XSS occurs when untrusted content runs as script in the browser, risking session theft, forged actions, and data exposure.