EasyFrontend Security📖 Theory Question

What security HTTP response headers should every production frontend set?

💡

Hint

X-Content-Type-Options, X-Frame-Options/CSP frame-ancestors, HSTS, Referrer-Policy, Permissions-Policy

Full Answer

A hardened production app should set these headers on every HTML response:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# Forces HTTPS for 1 year; prevents SSL-stripping attacks

X-Content-Type-Options: nosniff
# Stops browser MIME-type sniffing — prevents treating a text/plain response as JavaScript

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
# Prevents clickjacking

Referrer-Policy: strict-origin-when-cross-origin
# Limits how much URL info leaks in Referer header

Permissions-Policy: camera=(), microphone=(), geolocation=()
# Disables browser features your app doesn't use

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{n}'; ...
# Restricts resource origins; mitigates XSS

Quick audit: Run your URL through securityheaders.com to get a score and missing header report.

In Next.js: Set these in next.config.js under headers() or in middleware for per-request nonces.

More Frontend Security Questions

EasyWhat is XSS (Cross-Site Scripting) and how do you prevent it?EasyWhat is CSRF and how do SameSite cookies and CSRF tokens prevent it?EasyWhat is a Content Security Policy (CSP) and how does it work?EasyWhat is clickjacking and how do you prevent it?

Practice this in a timed sprint →

5 free questions, no signup required

⚡ Start Sprint