Cybersecurity › Web Application Security
Security Headers
22 ControlsSecurity Headers Configuration
Implement HTTP security headers to lock down the browser context.
Strict-Transport-Security(HSTS)Content-Security-Policy(CSP)X-Frame-Options(DENY or SAMEORIGIN for clickjacking)X-Content-Type-Options: nosniff
// Node.js (Helmet) — Security Headers & CSP
const helmet = require('helmet');
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trusted-cdn.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
},
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }
}));