What are HTTP security headers?

HTTP security headers are response headers that instruct browsers how to behave when handling your site's content. They protect against cross-site scripting (XSS), clickjacking, MIME sniffing, and data leakage. Common examples include Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options.

Is this tool 100% client-side?

Yes. All header generation happens in your browser. No data is sent to any server. You can use this tool offline after the initial page load.

Which Content-Security-Policy directives should I use?

Start with default-src 'self' to block all external sources, then selectively allow what your site needs. Add script-src for scripts, style-src for styles, and img-src for images. Use nonces or hashes instead of 'unsafe-inline' for inline scripts where possible.

What is HSTS and should I enable it?

Strict-Transport-Security (HSTS) tells browsers to only use HTTPS for your domain. Enable it once your entire site is served over HTTPS. Start without the preload flag, test for 30 days, then add includeSubDomains and preload when you are ready to commit permanently.

What does the security score mean?

The score reflects how many of the key recommended security headers you have enabled. A score of 100% means all headers are active with sensible defaults. It is a rough guide — the right config depends on your specific application needs.

Can I use the generated config directly in production?

The generated config provides solid defaults, but review each header before deploying. CSP in particular needs to be tuned to your actual resource origins. Test in a staging environment first and check browser console for blocked resource errors.

Free Security Tool

HTTP Security Headers,
Configured Visually

Toggle headers on, set your options, and get ready-to-paste configs for Nginx, Apache, or Next.js. No guessing. No docs diving.

🛡️

All Major Headers

CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CORP — all in one place.

📋

3 Output Formats

Copy as Nginx, Apache, or Next.js headers() config — ready to paste without editing.

🔒

Security Score

See your security posture improve in real-time as you enable each header.

Security Score100% — Strong

Configure Headers

Strict-Transport-Security

Forces HTTPS for this domain for the configured duration. Enable only after your site is fully on HTTPS.

max-age (seconds)

includeSubDomainspreload (permanent commitment)

X-Frame-Options

Prevents your page from being embedded in iframes on other origins. Stops clickjacking attacks.

X-Content-Type-Options

Prevents browsers from MIME-sniffing responses. Always set this to nosniff.

Referrer-Policy

Controls how much referrer information is included with cross-origin requests.

Cross-Origin-Opener-Policy

Isolates your browsing context from cross-origin windows, preventing cross-origin info leaks.

Cross-Origin-Resource-Policy

Prevents other origins from reading your resources. Defends against Spectre-style side-channel attacks.

Content-Security-Policy

Controls which resources the browser can load. Most powerful security header — tune carefully before deploying.

default-src

script-src

style-src

img-src

font-src

connect-src

frame-ancestors

Permissions-Policy

Restrict which browser features are available on this page. Unchecked features are blocked.

Output

nginx.conf

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=*" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;

Active Headers (8)

Strict-Transport-Security

max-age=31536000; includeSubDomains

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

Referrer-Policy

strict-origin-when-cross-origin

Content-Security-Policy

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'

Permissions-Policy

camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=*