Security Headers Examples

Use this page as a short landing point for deployable header snippets.

Included examples

• nginx-security-headers.conf
• apache-security-headers.conf
• cors-options-nginx.conf
• cors-interview-prompts.md

NGINX baseline

add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

App route checklist

• verify login, account, billing, and admin routes separately;
• confirm CDN and origin emit the same expected headers;
• validate cache policy on personalized responses;
• confirm any route with credentialed CORS has exact-origin handling and explicit OPTIONS behavior.

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.