Security Headers: CSP, HSTS, and Friends

The HTTP response headers that harden a website — Content-Security-Policy, HSTS, and the rest — explained by the exact attack each one stops.

1. Headers Are a Fence, Not a Lock Security headers are instructions you send the browser, telling it to enforce extra rules on your behalf — cheap, high-leverage defense that adds layers around code you can't make perfect.
2. The Everyday Hardening Set The headers you set on nearly every site — HSTS, X-Content-Type-Options, frame defenses, Referrer-Policy, and the cookie flags — each explained by the exact attack it stops.
3. Rolling Out CSP Without Breaking the Site Content-Security-Policy limits where scripts and resources may load from, blunting XSS — here's how to deploy it in report-only mode first, read the violations, and tighten without taking your own site down.