DevBolt
Processed in your browser. Your data never leaves your device.

HTTP Security Headers Explained

HTTP security headers are your first line of defense against common web attacks. This guide covers every security header, what it protects against, and recommended values for production.

Security Headers Generator

Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.

Strict-Transport-Security (HSTS)

Critical

X-Content-Type-Options

High

Always set to nosniff — no configuration needed.

X-Frame-Options

High

Referrer-Policy

Medium

Permissions-Policy

Medium
Camera
Microphone
Geolocation
Payment
USB
Gyroscope
Magnetometer
Accelerometer
Autoplay
Fullscreen

Content-Security-Policy

Critical

Cross-Origin-Opener-Policy

Medium

Cross-Origin-Embedder-Policy

Medium

Cross-Origin-Resource-Policy

Medium

X-XSS-Protection

Low

Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.

X-DNS-Prefetch-Control

Low

X-Permitted-Cross-Domain-Policies

Low

Security Score

C
6 headers enabled68/100
X-Frame-Options: DENY — page cannot be embedded in any iframe
Content-Security-Policy not set — no protection against XSS and injection attacks. Use the CSP Header Builder for detailed configuration.

Output Format

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self)
X-XSS-Protection: 0
6
Headers
C
Grade
347
Bytes

Related Guides

HSTS Guide

How Strict-Transport-Security works, preload lists, and deployment best practices.

Security Headers Explained

Complete guide to every HTTP security header and when to use each one.

Security Headers Checker

How to audit your site's security headers and fix common issues.

Why security headers matter

Security headers instruct browsers to enable built-in security features: blocking XSS (CSP), preventing clickjacking (X-Frame-Options), forcing HTTPS (HSTS), and controlling information leakage (Referrer-Policy). Without them, browsers use permissive defaults that leave your users vulnerable. Adding security headers is one of the highest-impact, lowest-effort security improvements you can make.

// Essential security headers

// Prevent MIME sniffing attacks
X-Content-Type-Options: nosniff

// Prevent clickjacking
X-Frame-Options: DENY
// or Content-Security-Policy: frame-ancestors 'none'

// Control referrer information
Referrer-Policy: strict-origin-when-cross-origin

// Disable dangerous browser features
Permissions-Policy: camera=(), microphone=(), geolocation=()

// Force HTTPS
Strict-Transport-Security: max-age=31536000; includeSubDomains

// Prevent XSS (legacy, use CSP instead)
X-XSS-Protection: 0

// Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [
  { "key": "X-Content-Type-Options", "value": "nosniff" }
]}]}

Essential headers every site needs

At minimum, every website should set: Strict-Transport-Security (force HTTPS), X-Content-Type-Options: nosniff (prevent MIME sniffing), X-Frame-Options: DENY or SAMEORIGIN (prevent clickjacking), and Referrer-Policy: strict-origin-when-cross-origin (control referrer leakage). These four headers cover the most common attack vectors with minimal risk of breaking functionality.

Advanced headers for full protection

For maximum security, add: Content-Security-Policy (comprehensive XSS prevention), Permissions-Policy (restrict browser APIs), Cross-Origin-Opener-Policy (isolate browsing context), Cross-Origin-Embedder-Policy (control resource loading), and Cross-Origin-Resource-Policy (prevent cross-origin reads). These require more careful configuration but significantly raise the security bar.

Frequently Asked Questions

Which security headers are most important?

HSTS, Content-Security-Policy, and X-Content-Type-Options are the most critical. HSTS prevents downgrade attacks, CSP prevents XSS, and X-Content-Type-Options prevents MIME-type confusion attacks. Together they address the majority of common web vulnerabilities.

Can security headers break my website?

Yes, if misconfigured. CSP is the most likely to cause issues — overly restrictive policies can block legitimate scripts, styles, or images. Start with CSP in report-only mode (Content-Security-Policy-Report-Only) to identify what would be blocked before enforcing.

How do I test my security headers?

Use browser DevTools (Network tab → response headers), online scanners like securityheaders.com, or curl -I to inspect headers. Test in staging before production, especially for CSP changes.

Related tools

HSTS GuideSecurity Headers Checker Guide← All Security Headers Generator features

Related Generate Tools

NGX

Nginx Config Generator

Generate nginx configuration files — server blocks, SSL, reverse proxy, gzip, load balancing, and security headers

Aa

ASCII Art Text Generator

Convert text into ASCII art with 7 font styles — banner, block, shadow, slim, star, dot, lines — with comment wrapping for code

R.*

Regex Generator

Generate regex patterns by describing what you need — 60+ curated patterns, visual composer, live tester, and pattern explanations

GIT

Git Command Builder

Build git commands visually with an interactive builder — branching, merging, rebasing, stashing, tags, and 80+ cheat sheet entries