HTTP Security Headers Generator
Web & SEOAnalyze a URL for CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers with graded security feedback.
A+
Security Grade
100/100
9
Headers
11
Passed
0
Issues
HSTS
Strict-Transport-Security
Force HTTPS for future requests
Max-Age
Duration in seconds (31536000 = 1 year)
Include Subdomains
Preload
Submit to hstspreload.org — irreversible!
Clickjacking & Content Type
X-Frame-Options
Controls framing of this page
X-Content-Type-Options
Prevent MIME-type sniffing (nosniff)
X-XSS-Protection
Legacy XSS filter — deprecated, prefer CSP
Referrer Policy
Referrer-Policy
Controls referrer info in requests
Security Audit100/100
HSTS enabled
Force HTTPS via Strict-Transport-Security
HSTS ≥ 1 year
Max-age should be at least 1 year (31536000)
X-Frame-Options set
Prevent clickjacking attacks
X-Content-Type-Options
Prevent MIME-type sniffing
Referrer-Policy set
Control referrer information leakage
CSP enabled
Content-Security-Policy prevents XSS
CSP object-src none
Disable plugin execution
CSP frame-src restricted
Restrict framing sources
Permissions-Policy set
Browser feature permissions defined
No X-XSS-Protection
X-XSS-Protection is deprecated and can cause issues
CSP upgrade-insecure
Upgrade insecure HTTP sub-resources
Cross-Origin Opener
Isolate browsing context for SharedArrayBuffer
9 Headers
Strict-Transport-Security
max-age=31536000; includeSubDomains
X-Frame-Options
DENY
X-Content-Type-Options
nosniff
Referrer-Policy
strict-origin-when-cross-origin
Content-Security-Policy
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; object-src 'none'; media-src 'self'; worker-src 'self'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests
Permissions-Policy
camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self), bluetooth=(), accelerometer=(), ambient-light-sensor=(), gyroscope=(), magnetometer=(), xr-spatial-tracking=()
Cross-Origin-Opener-Policy
same-origin
X-DNS-Prefetch-Control
off
X-Download-Options
noopen
Output
nginx.conf
# Add inside your server {} or location {} block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'none'; object-src 'none'; media-src 'self'; worker-src 'self'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self), bluetooth=(), accelerometer=(), ambient-light-sensor=(), gyroscope=(), magnetometer=(), xr-spatial-tracking=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header X-DNS-Prefetch-Control "off" always;
add_header X-Download-Options "noopen" always;About HTTP Security Headers Generator
The HTTP Security Headers Analyzer checks any publicly accessible URL and evaluates the presence, correctness, and strength of its security-related HTTP response headers. Get instant feedback on Content-Security-Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each header is graded with clear pass/warn/fail indicators and actionable recommendations so you can harden your web application against common browser-based attacks.
Features
- ✓Checks for Content-Security-Policy and highlights dangerous directives like 'unsafe-inline'
- ✓Validates HSTS max-age, includeSubDomains, and preload attributes
- ✓Evaluates X-Frame-Options for clickjacking protection
- ✓Confirms X-Content-Type-Options: nosniff is present
- ✓Analyzes Referrer-Policy for information leakage risks
- ✓Reviews Permissions-Policy for unnecessary browser feature grants
- ✓Per-header grading with pass, warning, and fail status
- ✓Plain-English explanation and recommended header values for each finding
Common Use Cases
- Pre-launch security audit to ensure all recommended headers are in place
- Continuous monitoring of security header regressions after deployments
- Compliance checks for PCI-DSS, SOC 2, and ISO 27001 requirements
- Hardening third-party embedded pages against clickjacking attacks
- Validating CSP directives do not permit dangerous inline script execution
- Security review as part of a DevSecOps CI/CD pipeline
Frequently Asked Questions
QWhat is the most important security header to implement?
Content-Security-Policy and HSTS are typically considered the most impactful. CSP mitigates XSS attacks, while HSTS ensures all communication uses HTTPS and prevents SSL stripping attacks.
QWill adding these headers break my website?
A strict CSP can break sites that load scripts or styles from unlisted sources. Always test security headers in a staging environment and use CSP report-only mode before enforcing.
QHow do I add security headers to my website?
Headers can be set in your web server configuration (Nginx, Apache), application middleware (Express, Django), CDN edge rules, or meta http-equiv tags (limited support).
QWhy does the tool show a warning for my existing CSP?
Common warnings include use of 'unsafe-inline' or 'unsafe-eval' in script-src, which partially defeat XSS protection. The tool explains each warning and suggests nonce-based or hash-based alternatives.