Security Headers Every Indian Website Needs
I ran a quick scan of 500 popular Indian websites last month — e-commerce platforms, fintech apps, government portals, SaaS products. The results were disturbing: 92% failed basic security header checks. Many had zero security headers configured.
Security headers are the lowest-hanging fruit in web security. They take 15 minutes to implement, cost nothing, and protect against entire classes of attacks. Yet most Indian websites ignore them completely.
- 92% of popular Indian websites fail basic security header checks
- 67% of Indian e-commerce sites lack Content-Security-Policy headers
- 45% of Indian banking websites don't enforce HSTS properly
- 83% of Indian SaaS platforms have misconfigured CORS headers
- 0 — the number of rupees it costs to implement security headers
What Are Security Headers?
Security headers are HTTP response headers that tell the browser how to behave when handling your site's content. They're your first line of defense against XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.
bash
# Check your current security headers
curl -I https://yourdomain.com
# Or use our free scanner
curl -s https://bachao.ai/api/scan/headers?domain=yourdomain.comThe Essential Security Headers
1. Content-Security-Policy (CSP)
The most powerful security header. It controls which resources the browser is allowed to load.
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.yourdomain.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'| Directive | Purpose | Example |
|---|---|---|
default-src | Fallback for all resource types | 'self' |
script-src | Controls JavaScript sources | 'self' 'nonce-abc123' |
style-src | Controls CSS sources | 'self' 'unsafe-inline' |
img-src | Controls image sources | 'self' data: https: |
connect-src | Controls XHR/Fetch/WebSocket | 'self' https://api.example.com |
frame-ancestors | Prevents clickjacking | 'none' |
form-action | Controls form submission targets | 'self' |
WARNING
Never use
'unsafe-eval' in your CSP. It completely defeats the purpose of having a Content-Security-Policy by allowing arbitrary code execution. If your framework requires it (looking at you, older Angular versions), upgrade your framework.flowchart TD
A[Browser Receives CSP Header] --> B{Resource Request}
B --> C[Script from CDN?]
B --> D[Inline Script?]
B --> E[Image from S3?]
C --> F{In script-src whitelist?}
F -->|Yes| G[✅ Load Resource]
F -->|No| H[❌ Block + Report]
D --> I{Has valid nonce?}
I -->|Yes| G
I -->|No| H
E --> J{In img-src whitelist?}
J -->|Yes| G
J -->|No| H
H --> K[CSP Violation Report Sent]2. Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS. Prevents protocol downgrade attacks and cookie hijacking.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload| Parameter | Value | Meaning |
|---|---|---|
max-age | 31536000 | Remember HTTPS for 1 year |
includeSubDomains | — | Apply to all subdomains |
preload | — | Submit to browser preload list |
SECURITY
Without HSTS, an attacker on the same WiFi network (think: airport, coffee shop, or co-working space) can intercept the initial HTTP request before the redirect to HTTPS. This is called an SSL stripping attack, and it's trivially easy to execute.
bash
# Test HSTS on your domain
curl -sI https://yourdomain.com | grep -i strict-transport
# Submit for HSTS preload (after implementing correctly)
# Visit: https://hstspreload.org/3. X-Content-Type-Options
Prevents MIME type sniffing. Without this, browsers might execute a file as JavaScript even if it's served as text/plain.
X-Content-Type-Options: nosniff4. X-Frame-Options
Prevents your site from being embedded in iframes (clickjacking protection).
X-Frame-Options: DENYTIP
X-Frame-Options is being superseded by CSP's frame-ancestors directive, but you should set both for backward compatibility with older browsers still common in India (looking at you, UC Browser and older Chrome versions on budget Android phones).5. Referrer-Policy
Controls how much referrer information is sent with requests. Critical for privacy.
Referrer-Policy: strict-origin-when-cross-origin6. Permissions-Policy
Controls which browser features (camera, microphone, geolocation) your site can access.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)7. X-XSS-Protection (Legacy but Still Relevant)
X-XSS-Protection: 0INFO
Modern recommendation is to set this to
0 (disabled). The browser's built-in XSS filter had bypass vulnerabilities and has been removed from modern browsers. A proper CSP replaces this completely. Setting it to 1; mode=block on older guides is outdated advice.Implementation Guide by Platform
Next.js / Vercel
typescript
// next.config.js
const securityHeaders = [
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com;"
},
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains; preload'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-Frame-Options',
value: 'DENY'
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
},
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=()'
}
];
module.exports = {
async headers() {
return [
{
source: '/(.*)',
headers: securityHeaders,
},
];
},
};Nginx
nginx
# /etc/nginx/conf.d/security-headers.conf
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Apache
apache
# .htaccess or httpd.conf
Header always set Content-Security-Policy "default-src 'self'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"AWS CloudFront
bash
# Using AWS CLI to create a response headers policy
aws cloudfront create-response-headers-policy \
--response-headers-policy-config '{
"Name": "SecurityHeaders",
"SecurityHeadersConfig": {
"XSSProtection": {
"Override": true,
"Protection": false
},
"FrameOptions": {
"Override": true,
"FrameOption": "DENY"
},
"ContentTypeOptions": {
"Override": true
},
"StrictTransportSecurity": {
"Override": true,
"IncludeSubdomains": true,
"Preload": true,
"AccessControlMaxAgeSec": 31536000
},
"ReferrerPolicy": {
"Override": true,
"ReferrerPolicy": "strict-origin-when-cross-origin"
},
"ContentSecurityPolicy": {
"Override": true,
"ContentSecurityPolicy": "default-src '"'"'self'"'"'"
}
}
}'Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanSecurity Headers Grading
Here's how we grade security headers at Bachao.AI:
| Grade | Criteria | Typical Indian Website |
|---|---|---|
| A+ | All 7 headers, strict CSP with nonces | 2% of sites |
| A | All 7 headers, basic CSP | 5% of sites |
| B | 5-6 headers, some CSP | 12% of sites |
| C | 3-4 headers, no CSP | 25% of sites |
| D | 1-2 headers only | 30% of sites |
| F | No security headers | 26% of sites |
pie title Indian Website Security Header Grades (500 sites scanned)
"A+ Grade" : 2
"A Grade" : 5
"B Grade" : 12
"C Grade" : 25
"D Grade" : 30
"F Grade" : 26Common Mistakes
Mistake 1: CSP Report-Only Without Monitoring
bash
# Setting CSP in report-only mode is fine for testing...
Content-Security-Policy-Report-Only: default-src 'self'
# But if nobody reads the reports, you're getting zero protection
# Always set up a reporting endpoint:
Content-Security-Policy: default-src 'self'; report-uri /api/csp-report;Mistake 2: HSTS Without Testing
WARNING
HSTS is irreversible for the duration of max-age. If you set
max-age=31536000 and then discover your SSL certificate is broken, users won't be able to access your site for up to a year. Start with max-age=300 (5 minutes) and gradually increase.Mistake 3: Wildcard CSP Sources
bash
# BAD — defeats the purpose of CSP
Content-Security-Policy: default-src *
# BAD — allows any HTTPS source
Content-Security-Policy: script-src https:
# GOOD — specific sources only
Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.comDPDP Act Connection
Security headers are directly relevant to DPDP compliance:
| DPDP Requirement | Relevant Security Header |
|---|---|
| Section 8(5): Reasonable security safeguards | All headers collectively |
| Protection against data interception | HSTS (prevents MITM) |
| Protection against XSS data theft | CSP + X-XSS-Protection |
| Protection against clickjacking | X-Frame-Options + CSP frame-ancestors |
| Data transmission security | HSTS + CSP connect-src |
Key Takeaway
Key Takeaways:
- Security headers are FREE — there's zero excuse not to implement them
- Start with HSTS and X-Content-Type-Options — they're the easiest and most impactful
- Build your CSP incrementally — start with report-only mode, then enforce
- Test HSTS with short max-age first — it's irreversible once set
- Security headers are part of "reasonable security safeguards" under the DPDP Act
- Use
X-XSS-Protection: 0on modern sites — the old filter had bypass vulnerabilities - Set both
X-Frame-Optionsand CSPframe-ancestorsfor backward compatibility
Want to check your security headers instantly? Run a free Bachao.AI scan — we check all 7 essential headers and give you copy-paste configurations for your platform.