Security Headers Generator

Harden HTTP responses with HSTS, Referrer-Policy, COOP, and COEP.

HTTP Strict Transport Security (HSTS)

- Enforces HTTPS connections.

31536000 = 1 Year

- Allow submission to browser HSTS preload lists.
- Prevents MIME-type sniffing.

Controls which browser APIs and features can be used (formerly Feature-Policy).

security-headers.txt
1

HTTP Security Headers Best Practices

HTTP Security Headers are a fundamental part of web application security. They instruct the browser on how to behave when handling your site's content, significantly reducing the attack surface.

Essential Security Headers

  • Strict-Transport-Security (HSTS): Enforces secure (HTTP over SSL/TLS) connections to the server. This prevents downgrade attacks and cookie hijacking. Always use a high max-age (e.g., 1 year) and consider includeSubDomains.
  • X-Frame-Options: Protects against Clickjacking by controlling whether your site can be rendered inside an