5 Essential API Security Headers Every Developer Should Know
Source: Dev.to
Security Headers Are Your First Line of Defense
Security headers are your API’s first line of defense. As of February 2026, proper header configuration can block most common attacks before they reach your application logic.
Strict‑Transport‑Security (HSTS)
Forces HTTPS connections. Without this, attackers can intercept traffic on insecure networks.
// Express example
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
next();
});Best practice: Set max-age to at least 1 year (31536000 seconds).
Content‑Security‑Policy (CSP)
Controls which resources can be loaded and prevents XSS by blocking inline scripts.
res.setHeader('Content-Security-Policy',
"default-src 'self'; script-src 'self' https://trusted.cdn.com");X‑Content‑Type‑Options
Stops browsers from MIME‑sniffing responses, preventing execution of malicious files.
res.setHeader('X-Content-Type-Options', 'nosniff');X‑Frame‑Options
Protects against clickjacking by controlling iframe embedding.
res.setHeader('X-Frame-Options', 'DENY'); // or 'SAMEORIGIN'CORS Headers
Controls which domains can access your API. Be specific—never use * in production.
res.setHeader('Access-Control-Allow-Origin', 'https://yourapp.com');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');Using Helmet
Instead of setting headers manually, you can use the helmet package, which sets 11 security headers automatically, including all five above.
npm install helmetimport helmet from 'helmet';
app.use(helmet());Verify Your Headers
Check your API with tools like securityheaders.com or via curl:
curl -I https://your-api.comLook for the headers in the response. If they’re missing, add them today.