← All articles
March 11, 20265 min read

The four security headers every production site should ship

You can add them today, in one deploy, and eliminate whole classes of attack. Here's the minimum viable set for 2026.

#Web Development#Cybersecurity#Hardening

Content-Security-Policy

Start in report-only mode, then enforce. Default-src 'self' plus a nonce for inline scripts stops the majority of XSS from ever executing.

Strict-Transport-Security

max-age=63072000; includeSubDomains; preload. Once you're on HTTPS everywhere, submit to the HSTS preload list. Downgrade attacks disappear.

X-Content-Type-Options

nosniff. One line, blocks MIME confusion attacks that turn image uploads into script execution.

Referrer-Policy

strict-origin-when-cross-origin. Stops sensitive URL parameters from leaking to third-party analytics and ads.