| title | HTTP Security Headers |
|---|---|
| description | Automatic security headers including CSP, HSTS, and more |
| category | security |
Modern browsers expect specific security headers to protect your users. Charon automatically adds industry-standard headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options.
HTTP security headers instruct browsers how to handle your content securely. Without them, your site remains vulnerable to clickjacking, XSS attacks, protocol downgrades, and MIME-type confusion. Charon provides a visual interface for configuring these headers without memorizing complex syntax.
| Header | Purpose |
|---|---|
| HSTS | Forces HTTPS connections, prevents downgrade attacks |
| Content-Security-Policy | Controls resource loading, mitigates XSS |
| X-Frame-Options | Prevents clickjacking via iframe embedding |
| X-Content-Type-Options | Stops MIME-type sniffing attacks |
| Referrer-Policy | Controls referrer information leakage |
| Permissions-Policy | Restricts browser feature access (camera, mic, geolocation) |
| Cross-Origin-Opener-Policy | Isolates browsing context |
| Cross-Origin-Resource-Policy | Controls cross-origin resource sharing |
- Browser Protection: Modern browsers actively check for security headers
- Compliance: Many security audits and standards require specific headers
- Defense in Depth: Headers add protection even if application code has vulnerabilities
- No Code Changes: Protect legacy applications without modifying source code
Charon offers three ready-to-use presets based on your security requirements:
Balanced security suitable for most production sites. Enables essential protections without breaking typical web functionality.
- HSTS enabled (1 year, includeSubdomains)
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Enhanced security for applications handling sensitive data. May require CSP tuning for inline scripts.
- All Basic headers plus:
- Content-Security-Policy with restrictive defaults
- Permissions-Policy denying sensitive features
- X-Frame-Options: DENY
Maximum security for high-value targets. Expect to customize CSP directives for your specific application.
- All Strict headers plus:
- CSP with nonce-based script execution
- Cross-Origin policies fully restricted
- All permissions denied by default
- Navigate to Hosts → Select your host → Security Headers
- Choose a preset from the dropdown
- Review the applied headers in the preview
- Click Save to apply
Create reusable header configurations:
- Go to Settings → Security Profiles
- Click Create Profile
- Name your profile (e.g., "API Servers", "Public Sites")
- Configure individual headers
- Save and apply to multiple hosts
The CSP Builder provides a visual interface for constructing Content-Security-Policy:
- Select directive (script-src, style-src, img-src, etc.)
- Add allowed sources (self, specific domains, unsafe-inline)
- Preview the generated policy
- Test against your site before applying
Each host displays a security score from 0-100 based on enabled headers:
| Score Range | Rating | Description |
|---|---|---|
| 90-100 | Excellent | All recommended headers configured |
| 70-89 | Good | Core protections in place |
| 50-69 | Fair | Basic headers only |
| 0-49 | Poor | Missing critical headers |
| Scenario | Recommended Preset |
|---|---|
| Marketing sites, blogs | Basic |
| E-commerce, user accounts | Strict |
| Banking, healthcare, government | Paranoid |
| Internal tools | Basic or Strict |
| APIs (no browser UI) | Minimal or disabled |
- Proxy Headers - Backend communication headers
- Access Lists - IP-based access control
- Back to Features