This free online security headers generator helps you configure and export HTTP security headers for your website or web application. From HSTS and Content-Security-Policy to X-Frame-Options and Permissions-Policy, this tool covers all 12 critical security headers with clear explanations, a security score meter, and export options for 6 server configurations — Nginx, Apache, Next.js, Express, Vercel, and Cloudflare Workers.
Step-by-Step
Review each header — The tool displays all 12 security headers with their current values, severity indicators (critical, important, nice-to-have), and explanations of what each header does.
Toggle headers on/off — Enable or disable individual headers based on your application's requirements.
Customize values — Edit header values directly. For example, add your CDN domain to the CSP script-src directive or set your HSTS max-age duration.
Check your score — The security score meter updates in real-time as you configure headers.
Export — Select your server platform and copy the generated configuration snippet.
Features
12 security headers — HSTS, CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy, and more.
Security score — A percentage-based score that reflects how well your headers protect against common web vulnerabilities.
Severity indicators — Each header is labeled Critical, Important, or Nice-to-Have so you can prioritize implementation.
Editable values — Customize every header value to match your application's needs.
Explanations — Each header includes a plain-English description of what it does and why it matters.
Client-side only — No data is sent anywhere. Your header configuration stays in your browser.
Common Use Cases
New Website Launch — Configure all recommended security headers before launching a new site. Use the score meter to verify you've covered the essentials.
Security Audit Remediation — After a penetration test or security scan flags missing headers, use this tool to generate the correct configuration for your server.
CSP Policy Building — Craft Content-Security-Policy directives with the correct sources for your scripts, styles, images, and fonts.
Compliance Requirements — PCI DSS, SOC 2, and OWASP Top 10 all recommend specific security headers. Use this tool to ensure compliance.
DevOps Deployment — Export headers in the correct format for your deployment target (Nginx, Vercel, Cloudflare) and add them to your infrastructure-as-code configuration.
Tips for Power Users
- Start with the Critical headers: HSTS, CSP, and X-Content-Type-Options. These address the most common attack vectors.
- For HSTS, use max-age=31536000 (1 year) with includeSubDomains for production sites.
- Build your CSP iteratively — start with a report-only policy, monitor violations, then enforce.
- Test your exported headers with securityheaders.com or Mozilla Observatory to verify correct implementation.
- The Permissions-Policy header lets you disable browser features you don't use (camera, microphone, geolocation) to reduce your attack surface.
Why Use This Tool?
Security headers are one of the easiest ways to harden your web application, but getting the syntax right for each server platform is tedious. This generator handles the formatting and gives you copy-paste-ready configuration for all major platforms. Everything runs client-side — your configuration choices are never sent to any server.