FREE TOOL · NO SIGNUP TO PREVIEW

Generate HTTP Security Headers in Seconds

Build a hardened Content-Security-Policy, HSTS, and more — then copy or download ready-to-paste Nginx, Apache, and Next.js config, complete with a live security grade.

Header settings

default-srcFallback for every fetch directive
script-srcJavaScript & workers
style-srcStylesheets
img-srcImages & favicons
font-srcWeb fonts
connect-srcfetch / XHR / WebSocket
frame-ancestorsWho may embed this page
Camera
Microphone
Geolocation
Payment API
USB
Fullscreen
Accelerometer
Gyroscope
Magnetometer
Autoplay

Advanced (optional)

Example output — a secure-by-default header set. Adjust the toggles to generate your own.
Grade A+ · 100/1006 headers6/6 recommended
frame-ancestors 'self' supersedes X-Frame-Options in modern browsers — X-Frame-Options is kept only for older clients.
Only send HSTS over HTTPS, and never on a host you may want to serve over plain HTTP later — the policy is cached by browsers for the full max-age.

Nginx config

# Security headers generated by SemlyPro — add inside the relevant server { } or location block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' https:; img-src 'self' https:; font-src 'self' https:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(), accelerometer=(), gyroscope=(), magnetometer=(), autoplay=()" always;

Add inside the relevant server { } block, then run nginx -t and reload.

Resolved headers

HeaderValue
Content-Security-Policydefault-src 'self'; script-src 'self'; style-src 'self' https:; img-src 'self' https:; font-src 'self' https:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
X-Frame-OptionsSAMEORIGIN
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Permissions-Policycamera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(), accelerometer=(), gyroscope=(), magnetometer=(), autoplay=()
The Complete Guide

HTTP Security Headers: The Complete Guide to CSP, HSTS & More

5 MIN READ

Understand with AI

Discuss with your preferred AI assistant

ChatGPTClaudePerplexityGoogle AI
~90%
Sites with no CSP

The vast majority of websites still ship without a Content-Security-Policy, leaving XSS largely unmitigated.

Top 3
Web app attacks involving XSS

Cross-site scripting remains one of the most common web-application vulnerabilities — exactly what CSP is built to stop.

< 10 min
Time to deploy

A full hardened header set can be added to Nginx, Apache, or Next.js in well under ten minutes.

HTTP security headers are short instructions your server sends with every response that tell the browser how to behave more safely. They cost nothing, take minutes to deploy, and shut down entire classes of attacks — cross-site scripting (XSS), clickjacking, protocol downgrades, and data leakage — before they reach your users. Yet a majority of sites still ship with none of them.

This guide explains the headers that matter most, what each one does, sensible defaults, and how to roll them out without breaking your site.

Why HTTP Security Headers Matter

Browsers are powerful, and that power is exactly what attackers abuse. A single injected script can steal session cookies, rewrite your checkout page, or exfiltrate customer data. Security headers let you set guardrails on what the browser will load and execute, so even if an attacker finds a way to inject content, the browser refuses to run it.

They also matter for trust and search. Modern browsers warn users on insecure connections, and a hardened header set is a signal of a well-maintained, trustworthy site. While headers are not a direct ranking factor, the HTTPS and integrity they enforce support the secure, fast experience search engines reward.

The Headers That Matter Most

Content-Security-Policy (CSP)

The single most effective defense against XSS. CSP tells the browser exactly which sources of scripts, styles, images, fonts, and connections are allowed. With a directive like script-src 'self', an injected inline script simply will not run. Start strict — default-src 'self' — then add the specific origins your site actually uses (your CDN, analytics, fonts). Avoid 'unsafe-inline' in script-src where you can; prefer nonces or hashes.

Strict-Transport-Security (HSTS)

HSTS forces browsers to use HTTPS for every future visit, even if a user types http:// or clicks an old link. This blocks SSL-stripping man-in-the-middle attacks. A typical value is max-age=63072000; includeSubDomains; preload (two years). Only send it over HTTPS, and be sure you intend to serve HTTPS for the full duration — browsers cache the policy.

X-Frame-Options & frame-ancestors

These prevent clickjacking, where an attacker loads your page inside an invisible iframe to trick users into clicking. X-Frame-Options: SAMEORIGIN covers older browsers; CSP's frame-ancestors 'self' is the modern equivalent and supersedes it. Use both for full coverage.

X-Content-Type-Options

The one-line, zero-risk win: X-Content-Type-Options: nosniff stops browsers from second-guessing a file's declared content type. This prevents a benign upload from being interpreted and executed as a script. There is no reason not to set it.

Referrer-Policy

Controls how much of the referring URL is shared when users navigate away from your site. strict-origin-when-cross-origin is the sensible default: it sends the full path to your own pages but only the origin to third parties, protecting query-string data and internal URLs from leaking.

Permissions-Policy

Formerly Feature-Policy, this lets you switch off powerful browser features your site does not use — camera, microphone, geolocation, payment, USB, and more. Locking down camera=() and microphone=() means that even compromised third-party code cannot silently request access.

HeaderRecommended valueProtects against
Content-Security-Policydefault-src 'self'; object-src 'none'XSS, injection
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preloadProtocol downgrade, MITM
X-Frame-OptionsSAMEORIGINClickjacking
X-Content-Type-OptionsnosniffMIME sniffing
Referrer-Policystrict-origin-when-cross-originReferrer leakage
Permissions-Policycamera=(), microphone=(), geolocation=()Feature abuse

How to Deploy Without Breaking Your Site

The risk with CSP is over-blocking — a too-strict policy hides legitimate assets and breaks the page. Roll out carefully:

  • Audit your origins first. List every domain that serves scripts, styles, fonts, and images on your site.
  • Start in Report-Only mode. Content-Security-Policy-Report-Only reports violations to your console without blocking, so you can find every legitimate source before enforcing.
  • Tighten incrementally. Begin with a permissive policy, watch the reports, and remove allowances until only what you need remains.
  • Set the easy headers immediately. nosniff, Referrer-Policy, X-Frame-Options, and Permissions-Policy rarely break anything — ship them today.
  • Verify after deploy. Re-check the live response headers and confirm the page still loads and functions.

Common Mistakes

  • Adding 'unsafe-inline' to script-src to "make CSP work" — this defeats most of its protection. Use nonces or hashes instead.
  • Enabling HSTS preload on a host you may serve over HTTP later — the policy is sticky and hard to undo.
  • Forgetting the always flag in Nginx, so headers are dropped on error responses.
  • Setting headers in only one place when traffic is served by both a CDN and an origin — apply them at the edge that reaches the user.

Expert Tips

Start CSP in Report-Only mode

Deploy Content-Security-Policy-Report-Only first. It logs every blocked resource without breaking the page, so you can whitelist your real asset origins before switching to enforcing mode.

Set the zero-risk headers today

X-Content-Type-Options: nosniff, Referrer-Policy, X-Frame-Options, and Permissions-Policy almost never break anything. Ship them immediately while you tune your CSP in the background.

Frequently Asked Questions

What are HTTP security headers?

They are response headers your server sends with every page that instruct the browser to enforce safety rules — which scripts may run, whether the site can be framed, whether to force HTTPS, and which features are allowed. They mitigate XSS, clickjacking, protocol downgrades, and data leakage.

Which security headers should every site have?

At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options or frame-ancestors, Referrer-Policy, and Permissions-Policy. CSP and HSTS deliver the most protection; the rest are quick, low-risk wins.

Will adding a Content-Security-Policy break my site?

It can if the policy is stricter than your real asset origins. Deploy it in Report-Only mode first to discover every legitimate source, then switch to enforcing mode once the reports are clean. The easier headers like nosniff and Referrer-Policy almost never cause problems.

Do security headers affect SEO?

Not directly, but they reinforce the HTTPS, integrity, and trust signals search engines value, and they protect the fast, secure experience users expect. A hacked or defaced site, by contrast, can be deindexed — so the headers protect your rankings indirectly.

Related guides

Technical seo checklistOn-page seoAi website auditHow to conduct a website audit

Related tools

Meta robots tag generatorCache-control header generatorHreflang tag generator