How to Audit Your Security Headers
Not sure if your site has the right security headers? This guide walks you through checking your current headers, identifying gaps, and fixing common issues across Nginx, Apache, Vercel, Netlify, and Cloudflare.
Security Headers Generator
Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.
Strict-Transport-Security (HSTS)
X-Content-Type-Options
Always set to nosniff — no configuration needed.
X-Frame-Options
Referrer-Policy
Permissions-Policy
Content-Security-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
X-XSS-Protection
Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.
X-DNS-Prefetch-Control
X-Permitted-Cross-Domain-Policies
Security Score
COutput Format
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self) X-XSS-Protection: 0
Checking headers with browser DevTools
Open Chrome DevTools (F12) → Network tab → click any request → Headers tab → scroll to Response Headers. Look for Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. Missing headers mean the browser uses permissive defaults, leaving your site exposed.
Common issues and fixes
Missing HSTS: Add Strict-Transport-Security header after confirming HTTPS works on all pages and subdomains. Missing X-Content-Type-Options: Always add nosniff — it has no side effects. X-Frame-Options ALLOW-FROM: Deprecated in most browsers — use CSP frame-ancestors instead. X-XSS-Protection: 1: Deprecated and can introduce vulnerabilities — set to 0 and use CSP.
Platform-specific configuration
Nginx: Use add_header directives in server blocks (add 'always' flag for error pages). Apache: Use Header directives in .htaccess or httpd.conf. Vercel: Add headers array in vercel.json. Netlify: Create a _headers file in publish directory. Cloudflare: Use Transform Rules or _headers file with Pages. Each platform has different syntax — use the generator above to get the right format.
Frequently Asked Questions
What grade should my security headers get?
Aim for an A or A+ grade. This means having at minimum HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and ideally CSP and Permissions-Policy. An A+ requires a strong CSP without unsafe-inline or unsafe-eval.
Do CDNs strip security headers?
Most CDNs preserve origin headers, but some may strip or override specific headers. Cloudflare preserves all custom headers. AWS CloudFront requires explicit header forwarding. Always verify headers are present after CDN deployment.
Should I set security headers on API responses too?
Yes. APIs should set X-Content-Type-Options: nosniff, Strict-Transport-Security, and a restrictive CSP (default-src 'none'). X-Frame-Options: DENY is also recommended since API responses should never be framed.