HTTP Security Headers Generator Pro

Strict-Transport-Security (HSTS) ›

Max-Age 30 days 6 months 1 year (recommended) 2 years

includeSubDomains preload

Content-Security-Policy (CSP) ›

default-src

script-src

style-src

img-src

connect-src

font-src

frame-src

object-src

base-uri

Use Content-Security-Policy-Report-Only (test mode)

report-uri

X-Frame-Options ›

DENY (no iframe embedding) SAMEORIGIN (same domain only)

Prevents clickjacking. CSP frame-ancestors supersedes this for modern browsers.

X-Content-Type-Options ›

Always set to nosniff. Prevents MIME type sniffing attacks.

Referrer-Policy ›

no-referrer no-referrer-when-downgrade strict-origin (recommended) strict-origin-when-cross-origin same-origin origin unsafe-url (not recommended)

Permissions-Policy ›

Control browser feature access. Unchecked = feature disabled.

camera microphone geolocation payment usb fullscreen clipboard-read display-capture

CORS Headers ›

Access-Control-Allow-Origin

Access-Control-Allow-Methods

Access-Control-Allow-Headers

Access-Control-Allow-Credentials: true

Cache-Control (for sensitive pages) ›

no-store (login/private pages) no-cache (revalidate always) no-store, no-cache, must-revalidate (max security) public, max-age=31536000, immutable (static assets)