How do I debug CSP violations?

Use Content-Security-Policy-Report-Only header to log violations without blocking. Check the browser console for violation details and adjust the policy.

What is the difference between X-Frame-Options and CSP frame-ancestors?

CSP frame-ancestors is the modern replacement. It supports multiple origins and wildcards. X-Frame-Options only supports DENY and SAMEORIGIN. Use both for backward compatibility.

HTTP Security Headers — HSTS, CSP, X-Frame-Options Complete Guide

Warning4xx client error

Overview

Complete reference for HTTP security headers including Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, and their error implications.

Key Details

Strict-Transport-Security (HSTS) forces HTTPS connections and prevents SSL stripping attacks
Content-Security-Policy (CSP) controls which resources can load, preventing XSS attacks
X-Frame-Options (DENY/SAMEORIGIN) prevents clickjacking by blocking iframe embedding
X-Content-Type-Options: nosniff prevents MIME type sniffing attacks
Referrer-Policy controls how much referrer information is sent with requests

Common Causes

Missing security headers leaving the site vulnerable to common web attacks
Overly restrictive CSP blocking legitimate resources (scripts, styles, images)
HSTS preload preventing HTTP access even when needed for testing
X-Frame-Options blocking legitimate iframe embedding (third-party widgets)

Steps

1Add HSTS header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
2Start with CSP in report-only mode: Content-Security-Policy-Report-Only to identify violations
3Set X-Frame-Options: SAMEORIGIN to allow same-origin framing but block third-party
4Add X-Content-Type-Options: nosniff to all responses
5Use securityheaders.com to scan your site and identify missing headers
6Configure headers in your web server, CDN, or application framework globally

More in 4xx Client Error

http-400-bad-requestHTTP 400 Bad Request — What It Means & How to Fix It

Error

http-401-unauthorizedHTTP 401 Unauthorized — What It Means & How to Fix It

Error

http-402-payment-requiredHTTP 402 Payment Required — What It Means & How to Fix It

Error

http-403-forbiddenHTTP 403 Forbidden — What It Means & How to Fix It

Error

http-404-not-foundHTTP 404 Not Found — What It Means & How to Fix It

Error

http-405-method-not-allowedHTTP 405 Method Not Allowed — What It Means & How to Fix It

Error

Frequently Asked Questions

Yes, if you enable HSTS preloading with a long max-age before your HTTPS is fully working. Start with a short max-age (300 seconds) and increase after confirming HTTPS works everywhere.

HTTP Security Headers — HSTS, CSP, X-Frame-Options Complete Guide

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in 4xx Client Error

Frequently Asked Questions