March 11, 20265 min read
The four security headers every production site should ship
You can add them today, in one deploy, and eliminate whole classes of attack. Here's the minimum viable set for 2026.
#Web Development#Cybersecurity#Hardening
Content-Security-Policy
Start in report-only mode, then enforce. Default-src 'self' plus a nonce for inline scripts stops the majority of XSS from ever executing.
Strict-Transport-Security
max-age=63072000; includeSubDomains; preload. Once you're on HTTPS everywhere, submit to the HSTS preload list. Downgrade attacks disappear.
X-Content-Type-Options
nosniff. One line, blocks MIME confusion attacks that turn image uploads into script execution.
Referrer-Policy
strict-origin-when-cross-origin. Stops sensitive URL parameters from leaking to third-party analytics and ads.
