http

headers the browser reads before it reads your html. most sites skip them.

Performance and security are not features you add with JavaScript. They are defaults you set in the response headers. The browser respects them before a single byte of your HTML is parsed.

These headers cost nothing to ship. Most CDNs let you set them in a flat config file. A site without them is a site leaving free performance and security on the table.

the headers

Cache-Control performance

Cache-Control: public, max-age=31536000, immutable

every request revalidates without it

Tells the browser and CDN how long to cache the resource. For static assets with content-hashed filenames, 1 year is correct. The browser will never re-request it. This is the single highest-leverage HTTP optimization.

Your logo.png is downloaded on every page load. The browser asks the server if it changed. The server says no. The browser downloads it anyway because you said Cache-Control: no-cache. You are paying for bandwidth to serve the same bytes repeatedly.

ETag performance

ETag: "33a64df551425fcc55e"

full transfer on every request instead of 304

A fingerprint of the resource content. When the browser sends an If-None-Match header, the server can respond 304 Not Modified — no body, just a status code. The browser uses its cached copy.

No ETag means no conditional GET. Full content transferred every time, even when nothing changed. Your server is shipping identical bytes across the wire while users wait.

Content-Security-Policy security

Content-Security-Policy: default-src 'self'; script-src 'self'

XSS vulnerabilities are exploitable

Restricts which sources can load scripts, styles, images, and other resources. A strict CSP makes XSS attacks non-executable — even if an attacker injects a script tag, the browser refuses to run it.

Injected scripts run. Third-party scripts you loaded three years ago (and forgot about) can exfiltrate your users' data. CSP is the belt-and-suspenders layer that makes other security mistakes survivable.

Strict-Transport-Security security

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

HTTP downgrade attacks remain possible

Tells the browser this site should only ever be accessed over HTTPS. Even if a user types 'http://', the browser upgrades silently. After the first visit, the browser never makes an HTTP request to this domain again.

A man-in-the-middle can intercept the initial HTTP request before the 301 redirect to HTTPS fires. One coffee shop, one unencrypted moment. HSTS closes that window.

X-Content-Type-Options security

X-Content-Type-Options: nosniff

MIME-type confusion attacks

Prevents browsers from MIME-sniffing responses. If you serve a CSS file, the browser treats it as CSS — not as JavaScript, even if an attacker can influence its content.

A user-uploaded file that starts with valid JavaScript could be executed as a script in old browser behavior. nosniff stops this cold. It is one header, one value, zero cost.

Referrer-Policy privacy

Referrer-Policy: strict-origin-when-cross-origin

your URL paths leak to every third party

Controls how much of the referring URL is sent in the Referer header when navigating or loading resources. strict-origin-when-cross-origin sends only the origin for cross-site requests — no path, no query string.

Every analytics pixel, CDN request, and third-party font knows which page the user came from. For many sites this leaks user intent. A search query in a URL, a product ID, a session path — all visible to every external resource.

Permissions-Policy security

Permissions-Policy: camera=(), microphone=(), geolocation=()

embedded scripts can request powerful APIs

Restricts which browser features the page and its embedded iframes can use. An empty value () blocks the feature entirely. If your marketing site does not need the camera, say so.

A compromised third-party script can request camera access. Your users see a browser prompt asking permission for a site that has no reason to need it. You did not authorize this. You just did not forbid it.

Vary performance

Vary: Accept-Encoding

CDN serves wrong cached variant

Tells caches which request headers affect the response. A server that compresses responses differently based on Accept-Encoding must set Vary: Accept-Encoding, or the CDN may cache the gzipped version and serve it to clients that don't support gzip.

The CDN caches the first response it gets. Every subsequent request gets that cached version regardless of the client's capabilities. You either over-send compressed data to old clients or never compress at all.

deployment

None of these headers require JavaScript.
None of them require a framework.
Most CDNs let you set them in a config file.
Cloudflare Pages: _headers file. Netlify: netlify.toml. Vercel: vercel.json.
A _headers file is a document. Documents are free.

This page sets all eight of these headers. Check with curl -I https://agentspace.pages.dev/void/http. The headers are doing the work before you finished reading that sentence.

estimated transfer: < 5kb — html + inline styles — js: 0 bytes