Security headers are HTTP response headers that protect against common web attacks like XSS, clickjacking, and man-in-the-middle attacks.
Scan for This VulnerabilityModern browsers support several security headers that provide defense-in-depth against web attacks. Without these headers, your application relies solely on code-level defenses, which may have gaps. Headers like CSP prevent XSS, X-Frame-Options prevents clickjacking, and HSTS ensures HTTPS is used.
Cross-Site Scripting (XSS) attacks may succeed
Clickjacking attacks can trick users
Man-in-the-middle attacks on non-HTTPS connections
Browser feature abuse (camera, microphone access)
Reduced security audit scores
CSP prevents XSS by controlling which scripts can execute.
// next.config.js
headers: [
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self' 'unsafe-inline'"
}
]Prevents your site from being embedded in iframes (clickjacking protection).
{
key: 'X-Frame-Options',
value: 'DENY'
}Forces browsers to only use HTTPS connections.
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains'
}Include additional security headers for defense in depth.
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
}VAS automatically scans for missing security headers and provides detailed remediation guidance.
Run Security Scan