HTTP Security Headers Generator

Configure HTTP security headers for your web server

Security ScoreB (4/6)

Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS. Recommended: enable with 1-year max-age.

Max-Age (seconds)

Include SubdomainsPreload

Content-Security-Policy (CSP)

Controls which resources the browser is allowed to load. Start with report-only mode.

X-Frame-Options

Prevents your page from being embedded in iframes on other sites.

X-Content-Type-Options

Prevents MIME-type sniffing. Always set to nosniff.

nosniff

Referrer-Policy

Controls how much referrer information is sent with requests.

Permissions-Policy

Controls which browser features your site can use.

Generated Configuration

# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Ctrl+Enter to runCtrl+Shift+C to copy

Learn More

HTTP Security Headers: Protect Your Website

Configure essential security headers for your web server.

What Are HTTP Security Headers?

HTTP security headers are response headers that instruct browsers how to behave when handling your site's content. They form a critical layer of defense-in-depth, protecting against common web attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by enforcing security policies at the browser level.

6 min readRead full guide

Related Tools

Did you know?

Password Generator

Security

Generate strong, random passwords and passphrases with customizable length, character sets, and bulk generation.

Password Generator

UUID Generator

Random Number Generator