Security Headers Generator
Configure security headers and export for Apache, nginx, or HTML meta tags
Content-Security-Policy
Strict-Transport-Security
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Cross-Origin Policies
Content-Security-Policy
Control which resources the browser is allowed to load
Strict
Moderate
Development
Custom
Strict-Transport-Security (HSTS)
Force browsers to use HTTPS for your site
Standard
Strict
Custom
Max Age (seconds)
includeSubDomains
preload
X-Frame-Options
Control whether your site can be embedded in iframes
Mode
DENY
SAMEORIGIN
ALLOW-FROM (deprecated)
Allow from URL
X-Content-Type-Options
Prevent MIME type sniffing
nosniff (only valid value — always recommended)
Referrer-Policy
Control how much referrer info is shared when navigating away
Policy
no-referrer
no-referrer-when-downgrade
origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
Permissions-Policy
Control which browser features and APIs can be used
Restrictive
Balanced
Permissive
Cross-Origin Policies
COEP, COOP, and CORP headers for isolation
Cross-Origin-Embedder-Policy
Mode
require-corp
credentialless
Cross-Origin-Opener-Policy
Mode
same-origin
same-origin-allow-popups
unsafe-none
Cross-Origin-Resource-Policy
Mode
same-origin
same-site
cross-origin
Generated Output
Apache .htaccess
nginx
HTML Meta Tags
Copy
Export as .txt
Copied to clipboard