Free Tool - No Signup Required

Security Headers Generator

Build a complete set of HTTP security headers — HSTS, Content-Security-Policy, clickjacking and cross-origin protections — and copy a ready-to-paste config for your server.

Start from a preset

Scan your site (optional)

Fetch your domain's live headers to see which are missing, then apply the recommended fixes in one click.

Strict-Transport-Security (HSTS)

Forces browsers to only ever connect over HTTPS.

X-Frame-Options

Stops other sites from embedding yours in a frame (clickjacking).

X-Content-Type-Options

Sends nosniff to stop browsers guessing file types.

Referrer-Policy

Controls how much of your URL is shared when users click away to another site.

Permissions-Policy

Decides which browser features (camera, microphone, geolocation…) your pages may use.

camera
microphone
geolocation
payment
usb
accelerometer
gyroscope
magnetometer
fullscreen
autoplay
display-capture

Features you don't set are left unrestricted. "block" = (), "self" = (self), "all" = *.

Cross-Origin policies

Isolate your pages from other origins. COEP require-corp can break third-party embeds.

Content-Security-Policy

The strongest defence against cross-site scripting — control exactly which sources a page may load.

default-src
script-src
style-src
img-src
connect-src
frame-ancestors

Optional. Where browsers POST a JSON report whenever the policy is violated.

Resulting policy

default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests

Your configuration

Heads up
  • frame-ancestors supersedes X-Frame-Options in modern browsers; X-Frame-Options is kept for legacy only.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
Verify with IntoDNS.AICSP-only generator

What each header does

Strict-Transport-Security (HSTS) tells browsers to only ever talk to your site over HTTPS, so an attacker can't downgrade a visitor to plain HTTP.

Content-Security-Policy (CSP) is an allowlist of where scripts, styles, images and other resources may come from. A good CSP is the single most effective defence against cross-site scripting (XSS).

X-Frame-Options (and CSP's frame-ancestors) stop other sites from loading yours inside an invisible frame to trick your users into clicking things — a clickjacking attack.

X-Content-Type-Options: nosniff stops browsers from second-guessing a file's type, which can otherwise turn an uploaded image into an executable script.

Referrer-Policy limits how much of your URL is leaked to other sites when a user clicks an outbound link.

Permissions-Policy switches off powerful browser features (camera, microphone, geolocation) your site doesn't need, shrinking what a compromised page could abuse.

Cross-Origin policies (COOP/COEP/CORP) isolate your pages from other origins. They're required to unlock high-precision timers and SharedArrayBuffer, but require-corp can break third-party embeds, so test carefully.

Frequently Asked Questions

What are HTTP security headers?
Security headers are extra instructions your web server sends to the browser with every page. They tell the browser to do things like force HTTPS, block your site from being framed by attackers, and stop it from loading scripts from places you did not approve. They cost nothing to add and stop a whole class of common attacks.
Which security headers should I add first?
Start with Strict-Transport-Security (forces HTTPS), X-Content-Type-Options: nosniff (stops MIME sniffing), X-Frame-Options or frame-ancestors (stops clickjacking), and a Referrer-Policy. A Content-Security-Policy is the most powerful but takes the most care — roll it out in Report-Only mode first. The Recommended preset on this page sets all of these for you.
Will adding these headers break my site?
Most headers are safe to drop in. The two that can break things are Content-Security-Policy (if it blocks a script or stylesheet your site needs) and COEP: require-corp (which can break third-party embeds). For CSP, use the Report-Only starter so you can watch for problems before enforcing. The generator shows a warnings list whenever your settings risk breaking something.
Where do I add these headers?
It depends on your stack. The generator gives you ready-to-paste snippets for Nginx, Apache, Caddy, Cloudflare Transform Rules, and a Netlify/Cloudflare Pages _headers file, plus a raw list you can adapt to anything else. Add the snippet to your server config or hosting platform and reload it.
Should I enable HSTS preload?
Preload bakes your domain into a list shipped inside browsers, so they always use HTTPS for it — even on the very first visit. It is powerful but hard to undo, and it requires max-age of at least one year plus includeSubDomains. Only enable it once you are certain every subdomain works over HTTPS, then submit your domain at hstspreload.org.
What is CSP Report-Only mode?
Report-Only mode (the Content-Security-Policy-Report-Only header) tells the browser to watch for policy violations and report them, but never block anything. It lets you safely discover what a strict policy would break on a live site. Once the reports are clean, switch to the enforcing Content-Security-Policy header.
How do I check my headers are working?
After deploying, run a scan with IntoDNS.AI — it reads your live response headers and grades them. You can also use the "Scan my site" button on this page to fetch your current headers and see exactly which ones are missing before you start.

CSP Generator

Build just a Content-Security-Policy with live preview.

MTA-STS Generator

Enforce TLS encryption for inbound email.

SPF Generator

Define which servers can send email for your domain.