HTTP Security Header Generator
Pick the security headers you need and copy ready-to-use config snippets.
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Content-Security-Policy: default-src 'self'
# Nginx (server block) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'" always;
# Apache .htaccess Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Content-Security-Policy "default-src 'self'"
Why use HTTP security headers?
HTTP security headers are a fast, zero-cost hardening layer: they are set server-side and tell browsers how to handle your content. HSTS forces HTTPS upgrades for a full year. CSP restricts which origins can load scripts, styles, and media — the most effective XSS mitigation available. X-Frame-Options stops your pages from being embedded in malicious iframes (clickjacking). Referrer-Policy limits how much URL info leaks when users follow outbound links. These headers are checked by tools like securityheaders.com and affect Google's Safe Browsingand Chrome's warning interstitials.
Related tools: URL Encoder · Robots.txt Generator · Sitemap XML Generator
Private & free — this tool runs entirely in your browser.