HTTP security headers you should have

Your web server can send headers that tell the browser how to behave securely. They're free and you configure them once.

The essentials

• Strict-Transport-Security (HSTS): forces HTTPS always.
• Content-Security-Policy (CSP): controls where scripts, styles, etc. load from. It's the most powerful against XSS (and the hardest to fine-tune).
• X-Content-Type-Options: nosniff: stops the browser from "guessing" file types.
• Referrer-Policy: limits what origin information leaks while browsing.
• X-Frame-Options / CSP frame-ancestors: prevents your site being embedded in an iframe (clickjacking).

How to check it

Tools like securityheaders.com give you a quick grade. For auditing TLS, SSL Labs. Start with HSTS and nosniff (easy) and leave CSP for when you can test it without breaking the site.

No header replaces secure code, but they're a cheap layer worth having.