Security headers: de la D la A+ în 30 de minute

ℹ️ Articol disponibil în engleză. O versiune română completă va fi publicată în curând.

Security headers are the lowest effort, highest leverage security improvement you can ship today. They're declarative HTTP responses that browsers enforce — no app code change. Yet majority of sites still ship with none configured.

The minimum 6

1. Strict-Transport-Security (HSTS) — forces HTTPS forever. max-age=63072000; includeSubDomains; preload. Submit to hstspreload.org.
2. Content-Security-Policy (CSP) — controls what scripts/ styles/images can load. Start with default-src 'self'; script-src 'self' 'unsafe-inline' and tighten from there.
3. X-Frame-Options: DENY — prevents clickjacking via iframe embedding.
4. Referrer-Policy: strict-origin-when-cross-origin — limits referrer leak to other sites.
5. Permissions-Policy — camera=(), microphone=(), geolocation=(self), interest-cohort=()disables FLoC + unwanted hardware access.
6. Cross-Origin headers (COOP/COEP/CORP) — required for SharedArrayBuffer and protect against Spectre.

Edge proxy is the easiest place

Don't configure these in your app. Set them at the edge proxy (Caddy, Nginx, Cloudflare). One config, one deploy, all routes covered. For Next.js, you can also use next.config.js headers() async function — see auditope.com's repo for a working example scoring A+ on observatory.mozilla.org.

Verify

Run scans at observatory.mozilla.org, securityheaders.com, and ssllabs.com. Auditope's security phase runs all three equivalents inline + CVE scanning of JS libs in one go.