AAuditOPE
Back to blog
Security·4 min read

Security headers: from D to A+ in 30 minutes

Most production sites score D or E on Mozilla Observatory and Securityheaders.com. Six headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COEP/COOP) move you to A+ — here's the recipe.

Security headers are the lowest effort, highest leverage security improvement you can ship today. They're declarative HTTP responses that browsers enforce — no app code change. Yet majority of sites still ship with none configured.

The minimum 6

  1. Strict-Transport-Security (HSTS) — forces HTTPS forever. max-age=63072000; includeSubDomains; preload. Submit to hstspreload.org.
  2. Content-Security-Policy (CSP) — controls what scripts/ styles/images can load. Start with default-src 'self'; script-src 'self' 'unsafe-inline' and tighten from there.
  3. X-Frame-Options: DENY — prevents clickjacking via iframe embedding.
  4. Referrer-Policy: strict-origin-when-cross-origin — limits referrer leak to other sites.
  5. Permissions-Policy camera=(), microphone=(), geolocation=(self), interest-cohort=()disables FLoC + unwanted hardware access.
  6. Cross-Origin headers (COOP/COEP/CORP) — required for SharedArrayBuffer and protect against Spectre.

Edge proxy is the easiest place

Don't configure these in your app. Set them at the edge proxy (Caddy, Nginx, Cloudflare). One config, one deploy, all routes covered. For Next.js, you can also use next.config.js headers() async function — see auditope.com's repo for a working example scoring A+ on observatory.mozilla.org.

Verify

Run scans at observatory.mozilla.org, securityheaders.com, and ssllabs.com. Auditope's security phase runs all three equivalents inline + CVE scanning of JS libs in one go.

Want this kind of analysis on your own site?

Run a free audit →