How do I generate HTTP security headers?
Toggle 12 security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more) using visual controls. Choose a preset (Strict, Moderate, Basic, API, Next.js, WordPress) and export as raw headers, Nginx, Apache, Vercel, Netlify, or Cloudflare config. See a security grade (A+ to F). Everything runs in your browser.
Preset: Strict Output: Nginx
# Security Headers — Strict add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()"; Security Score: A+
Security Headers Generator
Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.
Strict-Transport-Security (HSTS)
X-Content-Type-Options
Always set to nosniff — no configuration needed.
X-Frame-Options
Referrer-Policy
Permissions-Policy
Content-Security-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
X-XSS-Protection
Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.
X-DNS-Prefetch-Control
X-Permitted-Cross-Domain-Policies
Security Score
COutput Format
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self) X-XSS-Protection: 0
Tips & Best Practices
Start with Strict-Transport-Security and Content-Type-Options
HSTS (Strict-Transport-Security: max-age=63072000; includeSubDomains) forces HTTPS and prevents SSL stripping attacks. X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing responses as executable scripts. These two headers are the highest impact and lowest risk to add.
Don't set HSTS includeSubDomains if you have HTTP-only subdomains
HSTS with includeSubDomains forces HTTPS on every subdomain. If staging.example.com or internal.example.com uses plain HTTP, those sites become unreachable. Start with the main domain only, verify all subdomains support HTTPS, then add includeSubDomains.
Test your headers with SecurityHeaders.com before deploying
Configure your headers in DevBolt's generator, deploy them to staging, then scan with securityheaders.com to verify they're applied correctly. Many headers are silently ignored if the syntax is wrong. A B+ grade or higher indicates solid security posture.
Permissions-Policy replaces the deprecated Feature-Policy
Permissions-Policy: camera=(), microphone=(), geolocation=() blocks your site (and embedded iframes) from accessing sensitive device APIs. Even if your app doesn't use these features, blocking them prevents any injected third-party script from silently activating the camera or microphone.
Frequently Asked Questions
What HTTP security headers should every website have?
How do I configure Content-Security-Policy headers?
What is the difference between security header configs for Nginx, Apache, and Vercel?
Related Generate Tools
Nginx Config Generator
Generate nginx configuration files — server blocks, SSL, reverse proxy, gzip, load balancing, and security headers
ASCII Art Text Generator
Convert text into ASCII art with 7 font styles — banner, block, shadow, slim, star, dot, lines — with comment wrapping for code
Regex Generator
Generate regex patterns by describing what you need — 60+ curated patterns, visual composer, live tester, and pattern explanations
Git Command Builder
Build git commands visually with an interactive builder — branching, merging, rebasing, stashing, tags, and 80+ cheat sheet entries