Your Security Scanner Found 7 Missing Headers. Don't Fix Them Blindly.
Your security scanner just came back with 6 flagged items. All missing HTTP headers. You did what any reasonable developer does: Googled each one, copy-pasted the recommended config, and shipped a fix in 20 minutes. Job done. Security score green. PR merged. You also probably shipped at least two of them wrong. Here is the thing nobody tells you about HTTP security headers: knowing what to add is the easy part. Understanding why it matters, when it actually doesn't, and how a misconfigured one breaks your app in production — that's where most developers fall short. This isn't another "add these 7 headers to secure your app" post. This is the one that explains what's actually happening. First, The Contrarian Take Missing a security header is not automatically a vulnerability. If you do bug bounties, this will save you a rejection. If you're a dev, it'll save you from cargo-culting configs that don't apply to your app. Context is king. X-Frame-Options: DENY is a valid security header. YouTube doesn't use it. Because the entire point of YouTube is for people to embed its videos in iframes. Applying that header would break a core product feature. That's not a security oversight — it's a deliberate design decision. A missing Content-Security-Policy header is not a vulnerability in itself. It only becomes relevant if you already have an XSS problem to mitigate. CSP is defense-in-depth. Not a fix for a broken input sanitisation layer. This matters because a lot of developers (and worse, automated scanners) treat these headers like a binary checklist. Present = secure. Missing = vulnerable. Reality is messier than that. Now — with that said — let's talk about what each one actually does. #1. HTTP Strict Transport Security (HSTS) Most developers think HSTS is just "force HTTPS." It's more precise than that. When your app redirects http:// to https:// , that first request is still unencrypted. For a fraction of a second, on a public network, that window exists. An attacker on