HTTP Security Headers — HSTS, CSP, X-Frame-Options Complete Guide
About HTTP Security Headers
Complete reference for HTTP security headers including Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, and their error implications. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Strict-Transport-Security (HSTS) forces HTTPS connections and prevents SSL stripping attacks. Content-Security-Policy (CSP) controls which resources can load, preventing XSS attacks. X-Frame-Options (DENY/SAMEORIGIN) prevents clickjacking by blocking iframe embedding. X-Content-Type-Options: nosniff prevents MIME type sniffing attacks. Referrer-Policy controls how much referrer information is sent with requests. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Missing security headers leaving the site vulnerable to common web attacks. Overly restrictive CSP blocking legitimate resources (scripts, styles, images). HSTS preload preventing HTTP access even when needed for testing. X-Frame-Options blocking legitimate iframe embedding (third-party widgets). Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Add HSTS header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. Start with CSP in report-only mode: Content-Security-Policy-Report-Only to identify violations. Set X-Frame-Options: SAMEORIGIN to allow same-origin framing but block third-party. Add X-Content-Type-Options: nosniff to all responses. Use securityheaders.com to scan your site and identify missing headers. Configure headers in your web server, CDN, or application framework globally. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Can HSTS lock me out of my site?
Yes, if you enable HSTS preloading with a long max-age before your HTTPS is fully working. Start with a short max-age (300 seconds) and increase after confirming HTTPS works everywhere.
Overview
Complete reference for HTTP security headers including Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, and their error implications.
Key Details
- Strict-Transport-Security (HSTS) forces HTTPS connections and prevents SSL stripping attacks
- Content-Security-Policy (CSP) controls which resources can load, preventing XSS attacks
- X-Frame-Options (DENY/SAMEORIGIN) prevents clickjacking by blocking iframe embedding
- X-Content-Type-Options: nosniff prevents MIME type sniffing attacks
- Referrer-Policy controls how much referrer information is sent with requests
Common Causes
- Missing security headers leaving the site vulnerable to common web attacks
- Overly restrictive CSP blocking legitimate resources (scripts, styles, images)
- HSTS preload preventing HTTP access even when needed for testing
- X-Frame-Options blocking legitimate iframe embedding (third-party widgets)
Steps
- 1Add HSTS header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- 2Start with CSP in report-only mode: Content-Security-Policy-Report-Only to identify violations
- 3Set X-Frame-Options: SAMEORIGIN to allow same-origin framing but block third-party
- 4Add X-Content-Type-Options: nosniff to all responses
- 5Use securityheaders.com to scan your site and identify missing headers
- 6Configure headers in your web server, CDN, or application framework globally