You can have the best firewall in the world, but if your browser allows malicious scripts to run, your users are at risk. HTTP Security Headers are the first line of defense in the browser. They tell the client exactly what is allowed and what is forbidden.
1. Content Security Policy (CSP)
The most powerful header. CSP prevents Cross-Site Scripting (XSS) and data injection attacks. It tells the browser: "Only load scripts, images, and styles from these specific domains."
Content-Security-Policy: default-src 'self'; script-src 'self' https://analytics.google.com;
If a hacker injects a malicious script pointing to evil.com, the browser checks the CSP, sees that evil.com is not on the list, and blocks the request immediately.
2. Strict-Transport-Security (HSTS)
Forces HTTPS. It tells the browser: "Never load this site over HTTP. Always use HTTPS."
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
This prevents "Protocol Downgrade Attacks" (SSL Stripping) where a hacker on public Wi-Fi intercepts the initial HTTP request. Once a browser sees this header, it will strictly refuse to connect over insecure HTTP for the next year (max-age).
3. X-Frame-Options
Prevents Clickjacking. It tells the browser: "Do not allow other sites to embed my site in an <iframe>."
X-Frame-Options: DENY
Without this, a hacker could create a fake site, embed your bank's login page in an invisible iframe, and trick you into clicking "Transfer Money" when you think you are clicking "Play Video."
4. X-Content-Type-Options
Prevents MIME Sniffing.
X-Content-Type-Options: nosniff
Browsers sometimes try to "guess" the file type if the server is wrong. This allows attackers to upload a malicious script disguised as an image (e.g., avatar.jpg that actually contains JavaScript). This header forces the browser to trust the Content-Type sent by the server and run nothing else.