Pyalm Guard
Jul 7, 2026

HTTP Security Headers: A Practical Guide to HSTS, CSP, and the Rest

A handful of response headers quietly decide whether your site can be framed, downgraded, or injected into. Here's what HSTS, CSP, X-Frame-Options and friends do, and how to tell if yours are set right.

Security headers are the cheapest hardening you'll ever ship: a few lines of server config that tell the browser how to defend your users. Miss them and you leave the door open to clickjacking, protocol downgrades, and script injection. Here's what the important ones do.

HSTS — force HTTPS, always

Strict-Transport-Security tells the browser to only ever reach your site over HTTPS, even if a user types http:// or clicks an old link. That closes the downgrade window an attacker needs for a man-in-the-middle.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Set a long max-age, add includeSubDomains once you're sure every subdomain does HTTPS, and consider preload to be hardcoded into browsers.

CSP — the big one against injection

Content-Security-Policy is the strongest defence against cross-site scripting (XSS). It whitelists where scripts, styles, images, and frames may load from, so an injected <script> from an unapproved origin simply doesn't run.

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'

CSP is also the most involved to deploy — start in Content-Security-Policy-Report-Only mode, watch what it would block, then enforce. Avoid 'unsafe-inline' for scripts; it defeats much of the point.

X-Frame-Options / frame-ancestors — stop clickjacking

If an attacker can load your page in a hidden <iframe> over their own, they can trick users into clicking things they can't see. X-Frame-Options: DENY (or the modern frame-ancestors 'none' in CSP) prevents your pages from being framed by other sites.

The supporting cast

  • X-Content-Type-Options: nosniff — stops the browser from guessing (and mis-executing) content types.
  • Referrer-Policy: strict-origin-when-cross-origin — trims how much URL data leaks to other sites.
  • Permissions-Policy — disables features you don't use (camera, microphone, geolocation) so a compromise can't reach them.

Cookies count too

Headers protect the transport; cookie flags protect the session. Set Secure (HTTPS only), HttpOnly (hidden from JavaScript), and an appropriate SameSite value on session cookies — otherwise the headers above are guarding a door with the window open.

Grade what you're actually sending

Header config drifts: a CSP gets loosened for a quick fix, a new subdomain ships without HSTS, a reverse proxy strips a header nobody notices. Pyalm Guard checks your HTTP security headers, assigns each a letter grade, and reports missing or weak ones alongside your TLS configuration. Scan a site you own.

Assess your site with Pyalm Guard | Introducing Pyalm Guard | Subdomain takeover explained | SPF, DKIM & DMARC explained

Keep reading

More from Pyalm

Jul 7, 2026

Introducing Pyalm Guard: An Authorized Security Posture Assessment Tool

Point Pyalm Guard at a domain you own and it runs a full, non-destructive checkup — DNS, subdomains, email authentication, TLS, headers, ports, threat intelligence, and breach exposure — scored into one clear risk grade.

Jul 7, 2026

Subdomain Takeover: How Dangling DNS Records Get Hijacked — and How to Find Them

A subdomain takeover happens when a DNS record still points at a service you no longer own. Here's how dangling CNAMEs get hijacked, what an attacker can do with one, and how to detect and close them.

Jul 7, 2026

SPF, DKIM, and DMARC Explained: How to Stop Email Spoofing on Your Domain

SPF says who can send, DKIM proves nothing was tampered with, and DMARC ties them together and tells receivers what to do. Here's how the three work — and how to check yours are set up right.

Jul 10, 2026

Pyalm Books Is a Full Accounting, POS & Inventory Platform — Not Just E-Invoicing

UAE e-invoicing is why many businesses find Pyalm Books, but it's a fraction of what's inside. Here's the full picture: double-entry accounting, a built-in POS, inventory, purchases, banking, and projects.

Jul 10, 2026

Beyond Broadcasts: Tenreply's Shared Inbox, AI Support and WhatsApp CRM

Broadcasts get attention, but the day-to-day value of Tenreply is everything around them — a shared team inbox, an AI support agent, no-code flows, and a built-in CRM that turns chats into tracked leads.

Jul 10, 2026

More Than Courses: Assignments, Learner Q&A and a Job Board in Pyalm Learn

A course library is table stakes. Pyalm Learn adds the things that make learning stick and pay off — assignments and quizzes, in-context learner Q&A, analytics, and a built-in job board — all under your brand.

Check Your Security Posture in Minutes

Pyalm Guard runs an authorized, non-destructive checkup on a domain you own — DNS, subdomains, email auth, TLS, headers, ports, and threat intel — scored into one clear risk grade. No account, nothing stored on our servers.

Open Pyalm Guard About Pyalm Guard