# HeadersUse a small, high-impact header baseline and validate behavior after each deploy.

Security headers are a low-cost way to harden your site at the edge.

## Start with a safe baseline

Use these headers for all routes (example for Netlify):

```toml {title="netlify.toml"}
[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "SAMEORIGIN"
    Referrer-Policy = "strict-origin"
    Permissions-Policy = "geolocation=(self), microphone=(), camera=()"
```

## Add CSP separately and keep it strict

Treat CSP as its own policy and iterate carefully as scripts and integrations evolve.

- Start with `default-src 'self'`
- Add only required origins
- Prefer nonces/hashes over `unsafe-inline`

## Be intentional with cache headers

Apply long-lived caching to fingerprinted static assets, and shorter/revalidated caching to HTML.

## Validate after deployment

In browser dev tools and scanners, confirm:

- Headers are present on HTML and static assets
- HTTPS and HSTS are active
- No unexpected framing or MIME issues
- No CSP violations on critical pages

## Related

- [Content Security Policy](/advanced/security/content-security-policy/)
- [Caching](/advanced/performance/caching/)
- [Verification](/start-here/verification/)