Security Headers

HTTP security headers instruct browsers to enforce protections. Set them on every response via web server config or middleware.

Example

header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: camera=(), microphone=(), geolocation=()");
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-" . $nonce . "'");
// Test: securityheaders.com

PHP

Full Editor

Pro Tip

HSTS (Strict-Transport-Security) tells browsers to always use HTTPS — even if you accidentally link http.

Related Resources

PHP Reference

Complete tag & property list

PHP How-To Guides

Step-by-step practical guides

PHP Exercises

Practice what you've learned