Strict-Transport-Security
Forces browsers to use HTTPS for future requests, preventing protocol-downgrade and cookie-hijacking attacks over insecure connections.
max-age=63072000; includeSubDomains; preloadBrowse the essential HTTP security headers, copy their recommended values, and generate a ready-to-paste config snippet for NGINX, Apache, or Node.
Forces browsers to use HTTPS for future requests, preventing protocol-downgrade and cookie-hijacking attacks over insecure connections.
max-age=63072000; includeSubDomains; preloadWhitelists the sources a page may load scripts, styles, frames and other resources from, the primary defense against cross-site scripting (XSS) and data injection.
default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'Blocks the page from being embedded in a frame or iframe, defending against clickjacking. Superseded by CSP frame-ancestors but still respected by older browsers.
DENYStops browsers from MIME-sniffing a response away from its declared Content-Type, preventing scripts from being executed from non-script responses.
nosniffControls how much of the originating URL is sent in the Referer header, limiting leakage of sensitive paths and query strings to other origins.
strict-origin-when-cross-originSelectively enables or disables powerful browser features (camera, microphone, geolocation, etc.) for the page and any embedded frames.
geolocation=(), camera=(), microphone=()Isolates the page's browsing context from cross-origin windows, mitigating cross-window attacks and enabling features that require cross-origin isolation.
same-originRequires that cross-origin resources explicitly grant permission to be embedded, a prerequisite (with COOP) for cross-origin isolation and high-resolution timers.
require-corpLimits which origins may embed this resource, blocking side-channel attacks such as Spectre that read cross-origin responses.
same-originToggled the legacy XSS auditor built into older browsers. Modern browsers have removed it and it can introduce vulnerabilities, so it should be disabled.
0add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Security headers are response headers that instruct the browser to enforce extra protections such as forcing HTTPS, blocking framing, restricting resource origins, and limiting referrer leakage. Apply them at your server or CDN edge and validate the result against a scanner. Recommended values here are sensible defaults; tune Content-Security-Policy and Permissions-Policy to your app's actual needs before deploying.