HTTP security headers are response headers that instruct browsers to enforce security policies when rendering a page. Properly configured security headers protect against cross-site scripting (XSS), clickjacking, MIME sniffing, and other browser-level attacks.
Key security headers include: Content-Security-Policy (CSP) — restricts which resources the page can load; Strict-Transport-Security (HSTS) — enforces HTTPS connections; X-Frame-Options — prevents clickjacking via iframes; X-Content-Type-Options — prevents MIME sniffing; Referrer-Policy — controls referrer header behavior.
Security header auditing is a standard part of web application penetration testing and compliance workflows. Many frameworks default to missing or weak security headers — automated checking identifies gaps before attackers do.