Why is the HSTS header important?

HSTS (HTTP Strict Transport Security) forces browsers to always connect via HTTPS. This prevents SSL stripping attacks and man-in-the-middle attacks on the initial HTTP connection.

Why does my site break after adding a CSP header?

A strict Content-Security-Policy can block external scripts, stylesheets, and images. Start with Content-Security-Policy-Report-Only mode to test, then gradually tighten the policy.

How can I verify that security headers are properly applied?

Use the DechoNet HTTP Check tool to query your domain. It displays the status of HSTS, CSP, X-Frame-Options, and other security headers at a glance.

HTTP Security Headers Guide

A guide to configuring essential HTTP security headers including HSTS, CSP, X-Frame-Options, and more.

Diagnose your site now

Problem

A security audit shows that essential HTTP security headers like CSP and HSTS are missing.

Top 3 Causes

Not configured by default — Web server default configurations do not include security headers.
CDN override — The CDN may strip or overwrite headers set by the origin server.
Configuration conflicts — Headers defined in multiple configuration files may conflict and fail to apply.

Diagnosis with DechoNet

HTTP Check — See the security header status at a glance.

Resolution Checklist

HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
CSP: Content-Security-Policy: default-src 'self' (extend as needed)
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin