block 2 · online
osint/lab
Log inSign up
article · featured

What Security Headers Actually Tell You

Security headers are not magic. Here is what they do, what they don't, and how to read them.

published
Apr 20, 2026
slug
what-security-headers-actually-tell-you
status
Published
All articles

What Security Headers Actually Tell You

Security headers are HTTP response directives that change browser behaviour. They are one layer of a defense-in-depth strategy — useful, but not sufficient on their own.

The headers that matter most

Strict-Transport-Security (HSTS)

Tells the browser to only use HTTPS for this host for max-age seconds. Prevents downgrade attacks once the user has visited the site once.

What a missing HSTS header does not mean: the site is insecure. It might just not be eligible (HSTS requires HTTPS and a stable max-age commitment).

Content-Security-Policy (CSP)

Tells the browser which origins scripts, styles, images and frames can come from. A strict CSP is one of the best mitigations for XSS.

What a present CSP header does not mean: the site is safe. A CSP containing unsafe-inline or unsafe-eval can be nearly useless, and a permissive default-src * is only slightly better than no CSP at all.

X-Frame-Options / frame-ancestors

Prevents the page from being embedded in an iframe from another origin. Modern sites should prefer the CSP frame-ancestors directive; X-Frame-Options is the legacy fallback.

How to read a report

Ask three questions per header:

  1. Is it present?
  2. Is the value reasonable for this site's threat model?
  3. Does its presence contradict anything else you can see? (A site with HSTS but mixed-content warnings is telling you something.)
tagsIntermediateGuide
03explore next

Related articles.

Editorial pieces that share a tool context or type with this one.

guideApr 20, 2026

Getting Started with Public Surface Analysis

A beginner-friendly walkthrough of what you can responsibly learn from a public URL.

/articles/getting-started-with-public-surface-analysis
guideApr 20, 2026

A Responsible Method for Reconnaissance on Public Web Surfaces

Reconnaissance is not inherently malicious. Here is how to do it ethically, legally and systematically.

/articles/responsible-method-for-web-reconnaissance
articleApr 20, 2026

How to Turn Weak Signals into Better Questions

OSINT is not about finding smoking guns. It is about asking better questions.

/articles/turning-weak-signals-into-better-questions
articleApr 21, 2026

BuiltWith vs urlscan: Stack Hints vs Observed Page Behavior

BuiltWith and urlscan both help with public web research, but one is better for technology profiling while the other is better for seeing how a page actually behaves when loaded.

/articles/builtwith-vs-urlscan-stack-hints-vs-observed-page-behavior