CSP and HSTS together block the majority of injection attacks and protocol downgrade attacks. Here's how to implement both correctly without breaking your site.
Of all the HTTP security headers your website can set, Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) have the greatest impact on real-world attack prevention. CSP blocks the entire class of cross-site scripting (XSS) and data injection attacks. HSTS eliminates protocol downgrade attacks and SSL stripping.
Together, they address two of the OWASP Top 10 most critical web application security risks. Yet surveys consistently show that fewer than 30% of websites implement either header correctly.
HSTS instructs browsers to always connect to your site over HTTPS, even if the user types http:// or clicks an HTTP link. Once a browser has seen your HSTS header, it will refuse to make HTTP connections to your domain for the duration of the max-age value — no redirect needed, no opportunity for an attacker to intercept.
Without HSTS, an attacker on the same network (coffee shop Wi-Fi, corporate proxy) can perform an SSL stripping attack: they intercept your HTTP-to-HTTPS redirect and serve the victim an HTTP version of your site, silently proxying all traffic. The victim sees no warning; the attacker sees everything.
Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Cloudflare: Enable in SSL/TLS > Edge Certificates > HTTP Strict Transport Security.
Adding the preload directive to your HSTS header and submitting your domain to hstspreload.org means browsers will enforce HTTPS for your domain even on the very first visit — before they have ever seen your header. This is the gold standard. Requirements: max-age of at least 31,536,000 seconds, includeSubDomains, and all subdomains must also be HTTPS.
Warning: Once preloaded, removal takes months. Only preload if you are certain all subdomains will remain on HTTPS permanently.
CSP is a browser-enforced allowlist that specifies which sources of content (scripts, styles, images, fonts, frames) are permitted to load on your pages. Any content from an unlisted source is blocked. This makes XSS attacks and data injection dramatically harder — even if an attacker manages to inject a script tag, the browser refuses to execute it.
Start in report-only mode to understand what your site loads without breaking anything:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Once you have mapped all legitimate sources, move to enforcement mode. A typical CSP for a site using Google Fonts, Google Analytics, and Stripe:
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; frame-src https://js.stripe.com; connect-src 'self' https://www.google-analytics.com; report-uri /csp-report;
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; frame-src https://js.stripe.com; connect-src 'self' https://www.google-analytics.com; report-uri /csp-report;
Using unsafe-inline for scripts defeats the purpose of CSP for XSS prevention. Instead, use nonces or hashes for inline scripts. Using unsafe-eval allows dynamic code execution and should be avoided unless absolutely required by a third-party library. Overly broad wildcards like script-src * provide no protection at all.*
WebGuard analyses both CSP and HSTS as part of its 100+ security checks. The report shows whether each header is present, the exact header value found, a score impact breakdown, and AI-generated fix instructions with the exact header value to add for your server.
Run a free scan at WebGuard [blocked] to see your current header configuration and get a prioritised remediation plan.
Free scan, no account required. See exactly which issues affect your site.
Start Free ScanSecurity headers are the fastest way to improve your website's security posture. Here's what each one does, why it matters, and the exact code to add it.
From DV to EV certificates, Let's Encrypt to paid CAs — everything UK website owners need to know about choosing, installing, and maintaining SSL/TLS certificates.
Email spoofing costs UK businesses millions each year. SPF, DMARC, and DKIM are the three DNS records that stop attackers from impersonating your domain. Here's how to set them up.