Skip to content
uxTools
Security & Crypto

Security Headers Reference

Browse the essential HTTP security headers, copy their recommended values, and generate a ready-to-paste config snippet for NGINX, Apache, or Node.

5 of 10 selected

Strict-Transport-Security

Forces browsers to use HTTPS for future requests, preventing protocol-downgrade and cookie-hijacking attacks over insecure connections.

Recommended value
max-age=63072000; includeSubDomains; preload

Content-Security-Policy

Whitelists the sources a page may load scripts, styles, frames and other resources from, the primary defense against cross-site scripting (XSS) and data injection.

Recommended value
default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'

X-Frame-Options

Blocks the page from being embedded in a frame or iframe, defending against clickjacking. Superseded by CSP frame-ancestors but still respected by older browsers.

Recommended value
DENY

X-Content-Type-Options

Stops browsers from MIME-sniffing a response away from its declared Content-Type, preventing scripts from being executed from non-script responses.

Recommended value
nosniff

Referrer-Policy

Controls how much of the originating URL is sent in the Referer header, limiting leakage of sensitive paths and query strings to other origins.

Recommended value
strict-origin-when-cross-origin

Permissions-Policy

Selectively enables or disables powerful browser features (camera, microphone, geolocation, etc.) for the page and any embedded frames.

Recommended value
geolocation=(), camera=(), microphone=()

Cross-Origin-Opener-Policy

Isolates the page's browsing context from cross-origin windows, mitigating cross-window attacks and enabling features that require cross-origin isolation.

Recommended value
same-origin

Cross-Origin-Embedder-Policy

Requires that cross-origin resources explicitly grant permission to be embedded, a prerequisite (with COOP) for cross-origin isolation and high-resolution timers.

Recommended value
require-corp

Cross-Origin-Resource-Policy

Limits which origins may embed this resource, blocking side-channel attacks such as Spectre that read cross-origin responses.

Recommended value
same-origin

X-XSS-Protection

Deprecated

Toggled the legacy XSS auditor built into older browsers. Modern browsers have removed it and it can introduce vulnerabilities, so it should be disabled.

Recommended value
0
Generated config
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

About these headers

Security headers are response headers that instruct the browser to enforce extra protections such as forcing HTTPS, blocking framing, restricting resource origins, and limiting referrer leakage. Apply them at your server or CDN edge and validate the result against a scanner. Recommended values here are sensible defaults; tune Content-Security-Policy and Permissions-Policy to your app's actual needs before deploying.