What are HTTP security headers?

HTTP security headers instruct browsers to enable protective behaviors. Key headers: Strict-Transport-Security (HSTS — force HTTPS). Content-Security-Policy (CSP — whitelist trusted content sources, prevent XSS). X-Frame-Options: DENY or SAMEORIGIN — prevents clickjacking by controlling framing. X-Content-Type-Options: nosniff: prevents MIME type sniffing attacks. Referrer-Policy: controls how much referrer info is sent (e.g., strict-origin-when-cross-origin). Permissions-Policy (formerly Feature-Policy): disables browser features (camera, mic, geolocation). X-XSS-Protection: 1; mode=block: legacy browser XSS filter (largely obsoleted by CSP). Check your headers at securityheaders.com. All these headers should be set in your web server or application middleware.