Security Headers & Configs: Cheat Sheet
Essential Security Headers
| Header | Value | Purpose |
|---|---|---|
Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Force HTTPS |
Content-Security-Policy | (see below) | Control content sources |
X-Content-Type-Options | nosniff | Prevent MIME sniffing |
X-Frame-Options | DENY | Block clickjacking |
Referrer-Policy | strict-origin-when-cross-origin | Limit referrer leakage |
Permissions-Policy | camera=(), microphone=(), geolocation=() | Disable browser APIs |
Nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
server_tokens off;
Kubernetes Ingress (Nginx Controller)
metadata:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
Helmet.js (Node/Express)
const helmet = require("helmet");
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"], scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:"], frameAncestors: ["'none'"],
},
},
hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
frameguard: { action: "deny" },
referrerPolicy: { policy: "strict-origin-when-cross-origin" },
}));
CSP Examples
# Strict self-only
default-src 'self';
# Allow Google Fonts + Analytics
default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com; script-src 'self' www.googletagmanager.com;
# Report-only mode (monitor without blocking)
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report;
CORS (Nginx)
add_header Access-Control-Allow-Origin "https://app.example.com" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
add_header Access-Control-Max-Age 86400 always;
TLS Config (Nginx)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
Validate
curl -I https://example.com # Check response headers
curl -vI https://example.com 2>&1 | grep -E "SSL|TLS|subject|expire"
# Online: securityheaders.com | ssllabs.com/ssltest
Related Articles
Was this article helpful?
DevSecOps Lead
Security-first mindset in everything I ship. From zero-trust architectures to supply chain security, I make sure your pipeline doesn't become your weakest link.
Related Articles
Kubernetes Security Hardening for Production: The Complete Guide
Harden Kubernetes clusters for production with RBAC, network policies, pod security standards, secrets management, and admission controllers.
OPA Gatekeeper: Enforcing Kubernetes Admission Control Policies That Actually Stop Misconfigurations
Deploy OPA Gatekeeper to enforce Kubernetes admission policies — block privileged containers, enforce labels, and prevent misconfigurations.
Mozilla SOPS: Encrypted Secrets in Git for GitOps Workflows That Don't Leak
Use Mozilla SOPS to encrypt secrets in Git for secure GitOps workflows. Covers AGE, AWS KMS, and ArgoCD integration with real examples.
Kubernetes RBAC: A Practical Guide to Least-Privilege Access Control
Implement least-privilege RBAC in Kubernetes to prevent lateral movement and privilege escalation — with real threat models and pipeline-ready examples.
HashiCorp Vault and Kubernetes: Secrets Management That Actually Works
Integrate HashiCorp Vault with Kubernetes to eliminate static secrets from your cluster — with working manifests, threat models, and pipeline automation.
Automated Dependency Vulnerability Scanning in CI: Stop Shipping Known CVEs
Add automated dependency vulnerability scanning to your CI pipeline using Trivy and Grype. Catch known CVEs before they hit production.
More in Security
View all →SSL Certificate Verification Failed In Curl And Python Requests: Diagnosing And Fixing CERTIFICATE_VERIFY_FAILED Errors
SSL verification errors are one of those issues that bite you at the worst possible moment — usually in production, usually when you're on-call. Here's you...
AWS IAM Policy Conditions For Cross-Account Resource Access Without Over-Privileging
Cross-account resource access in AWS is like giving someone the keys to your house—you want them to get in, but only through the right door, at the right t...
Container Image Scanning with Trivy: Complete Setup Guide
Set up Trivy for container image vulnerability scanning — from local development to CI/CD pipeline integration with actionable remediation.
Container Supply Chain Security With Sigstore and Cosign
Sign and verify your container images with Sigstore Cosign to prevent supply chain attacks — with keyless signing, SBOM attestation, and Kubernetes admission enforcement.