Processed in your browser. Your data never leaves your device.
Security Headers Generator
Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.
Strict-Transport-Security (HSTS)
X-Content-Type-Options
Always set to nosniff — no configuration needed.
X-Frame-Options
Referrer-Policy
Permissions-Policy
Camera
Microphone
Geolocation
Payment
USB
Gyroscope
Magnetometer
Accelerometer
Autoplay
Fullscreen
Content-Security-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
X-XSS-Protection
Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.
X-DNS-Prefetch-Control
X-Permitted-Cross-Domain-Policies
Security Score
C6 headers enabled68/100
ℹ X-Frame-Options: DENY — page cannot be embedded in any iframe
⚠ Content-Security-Policy not set — no protection against XSS and injection attacks. Use the CSP Header Builder for detailed configuration.
Output Format
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self) X-XSS-Protection: 0
6
Headers
C
Grade
347
Bytes
Frequently Asked Questions
What HTTP security headers should every website have?
Every website should set these core security headers: Content-Security-Policy (CSP) to control which resources can load, preventing XSS attacks. Strict-Transport-Security (HSTS) to force HTTPS connections. X-Content-Type-Options set to nosniff to prevent MIME type sniffing. X-Frame-Options set to DENY or SAMEORIGIN to prevent clickjacking. Referrer-Policy to control what URL information is sent to other sites. Permissions-Policy to disable unused browser features like camera, microphone, and geolocation. These headers add defense-in-depth layers that protect users even if your application code has vulnerabilities. The generator produces correctly formatted header configurations for your specific web server or hosting platform.
How do I configure Content-Security-Policy headers?
Content-Security-Policy (CSP) is a whitelist of allowed content sources for your page. Define directives for each resource type: default-src as the fallback, script-src for JavaScript, style-src for CSS, img-src for images, connect-src for fetch/XHR, font-src for fonts, and frame-src for iframes. Start with a restrictive policy like default-src 'self' which only allows resources from your own domain. Add specific sources as needed: CDN domains for third-party scripts, 'unsafe-inline' for inline styles (avoid for scripts), and data: for base64-encoded resources. Use report-uri or report-to to receive violation reports during rollout. The generator builds the policy string from your selected directives.
What is the difference between security header configs for Nginx and Vercel?
Nginx uses the add_header directive in server or location blocks within nginx.conf. Each header is a separate add_header line like add_header X-Frame-Options "DENY". Vercel uses a headers array in vercel.json where each entry specifies a source path pattern and an array of key-value header objects. Apache uses the Header set directive in .htaccess or httpd.conf. Cloudflare can set headers via Page Rules or _headers file. The actual header names and values are identical across all platforms. Only the configuration syntax differs. The generator outputs the exact configuration format for your chosen platform so you can copy it directly into your deployment configuration without manual syntax translation.