Generator

Security Headers All-in-One Builder

Toggle the core security headers and get ready-to-paste config for nginx, Apache, and Node.js / Next.js.

HSTS

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy (camera/mic/geo/payment off)

Cross-Origin-Opener-Policy: same-origin

nginx

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;