Security Headers Check — Are Your HTTP Headers Protecting You?
Written by the Rafter Team
Missing security headers are one of the most common findings in web application scans — and one of the easiest to fix. A security headers check examines your HTTP response headers to determine whether your application defends against clickjacking, cross-site scripting, MIME sniffing, protocol downgrade attacks, and unauthorized feature access. Each header takes minutes to configure but prevents entire categories of exploits.
Security headers only protect you if they're present on every response. A single misconfigured route or reverse proxy that strips headers can leave your entire application exposed. Test all endpoints, not just your homepage.
Run a free security headers check with Rafter — scan your application and get actionable findings in under two minutes.
Content-Security-Policy (CSP)
CSP tells the browser which sources of content are trusted. Without it, attackers who find an injection point can load scripts from any domain, exfiltrate data, or deface your pages.
A strong CSP blocks inline scripts and restricts resources to known origins:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'
Start with default-src 'self' and add exceptions only as your application requires them. Avoid unsafe-inline and unsafe-eval — they negate most of CSP's protection. Use report-uri or report-to directives in report-only mode first to catch breakage before enforcing.
DAST scanners detect missing or weak CSP by analyzing response headers and identifying overly permissive directives like wildcard sources.
Strict-Transport-Security (HSTS)
HSTS forces browsers to connect over HTTPS only, eliminating protocol downgrade attacks and SSL stripping. Without it, an attacker on the same network can intercept the initial HTTP request before your redirect fires.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Set max-age to at least one year. Include includeSubDomains to protect every subdomain. Submit to the HSTS preload list so browsers enforce HTTPS before the first visit. Once preloaded, there is no window for a downgrade attack — not even on the first connection.
X-Frame-Options
X-Frame-Options prevents your pages from being embedded in frames on other sites, blocking clickjacking attacks where an attacker overlays invisible frames to trick users into clicking on your application.
X-Frame-Options: DENY
Use DENY to block all framing, or SAMEORIGIN if your application uses iframes internally. Note that frame-ancestors in CSP provides the same protection with more flexibility — but X-Frame-Options remains necessary for older browsers that don't support CSP Level 2.
X-Content-Type-Options
This header prevents browsers from MIME-sniffing a response away from the declared Content-Type. Without it, a browser might interpret a text file as executable JavaScript — turning a file upload feature into a cross-site scripting vector.
X-Content-Type-Options: nosniff
There is exactly one valid value. Set it on every response. There are no trade-offs, no configuration decisions, and no reason to omit it.
Permissions-Policy
Permissions-Policy (formerly Feature-Policy) controls which browser features your application can access — camera, microphone, geolocation, payment APIs, and more. Restricting these limits the damage if an attacker injects code into your pages.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Disable every feature you don't use. If your application needs geolocation, grant it only to your own origin: geolocation=(self). This header reduces your attack surface and prevents third-party scripts from silently accessing sensitive device capabilities.
How DAST Detects Missing Headers
Web security scanners check for missing or misconfigured security headers on every response they receive during a crawl. A good scanner flags not just absent headers but also weak configurations — a CSP that allows unsafe-inline, an HSTS max-age under six months, or a Permissions-Policy that grants broad access.
Automated scanning catches header regressions that manual reviews miss. A deploy that updates your reverse proxy configuration, a new CDN edge rule, or a framework upgrade can silently strip headers from responses. Continuous scanning on every deployment ensures headers stay in place. Include a website security check as part of your regular audit process to verify headers alongside authentication, configuration, and dependency risks.
Scan your site for vulnerabilities to catch header misconfigurations alongside injection flaws, dependency risks, and secrets exposure.
Fix Headers Once, Prevent Attacks Permanently
Security headers are a force multiplier. Five headers, configured correctly at the server or CDN level, block clickjacking, XSS escalation, MIME confusion, protocol downgrades, and unauthorized feature access — permanently. The effort is measured in minutes. The protection is measured in entire attack categories eliminated.
Start a free scan with Rafter to check your security headers and find what else your application is exposing.