Free Online Tool

Security Headers Generator

Pick a hardening level and your server type. Get copy-paste ready security header config in seconds.

What headers does this generate?

All configs include these foundational security headers, scaled by your selected level:

Strict-Transport-Security (HSTS): forces browsers to always use HTTPS. Critical to prevent downgrade attacks.
X-Content-Type-Options: stops browsers from MIME-sniffing the content type. Blocks one class of XSS.
X-Frame-Options: prevents your site from being loaded inside an iframe by other domains. Stops clickjacking.
Referrer-Policy: controls how much referrer info leaks when users click outbound links.
Permissions-Policy: disables browser features (camera, mic, location) you don't need.
Content-Security-Policy (Strict / Maximum only): the most powerful XSS defense. Hardest to configure correctly.
Cross-Origin-* (Maximum only): isolates your site from other origins. Required for SharedArrayBuffer / WebAssembly threading.

Pick the right level for your site

Basic: the minimum every site should have. Won't break anything. Use this for legacy sites or third-party-heavy CMS like WordPress with many plugins.
Strict: recommended for new projects, single-page apps, and any site without complex third-party integrations. Aim for A grade on Mozilla Observatory.
Maximum: paranoid mode. Will likely break embedded fonts, analytics scripts, ad networks, and inline styles unless you tune CSP carefully. Test in staging first.

After you apply the config

Deploy the config to your server.
Run our Security Scorecard against your domain.
Re-check at Mozilla Observatory for an external second opinion.
Aim for A grade or above on both.

How to use

Pick a hardening level (start with Strict).
Pick your server type.
Click Generate Config.
Copy the generated config to your server.
Verify with our Security Scorecard.

FAQ

Will these headers break my site?

Basic is safe for any site. Strict may require small tweaks if you load fonts or scripts from other domains. Maximum will likely break inline styles and third-party widgets unless you customize CSP. Always test in staging first.

What's the difference between HSTS preload and just HSTS?

HSTS in a header tells repeat visitors to always use HTTPS. HSTS preload submits your domain to a hardcoded list shipped with browsers, so even first-time visitors are protected. Submit at hstspreload.org once your config is stable.

Why isn't CSP in the basic level?

CSP is the most powerful header but also the easiest to misconfigure. A bad CSP breaks everything. We only include CSP in Strict and Maximum, and even then with a permissive default that you should tighten over time.

Do I still need a WAF if I have these headers?

Yes. Headers protect users in the browser. A WAF (like Cloudflare) protects your server from attack traffic. They are complementary, not alternatives.

Why no X-XSS-Protection?

X-XSS-Protection is deprecated and removed from modern browsers. Some legacy guides still mention it, but it's effectively dead. Use Content-Security-Policy instead.