Crawlsonar

Security Headers Generator

Build a hardened set of HTTP security headers — HSTS, CSP, clickjacking and MIME protection — and copy it as raw headers or nginx/Apache config.

HSTS
Policies
Format:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Add these to your server or CDN, then confirm with the HTTP Header Checker. Roll out CSP in Content-Security-Policy-Report-Only first.

What HTTP security headers are (and why they matter for SEO)

HTTP security headers are directives your server sends with every response that instruct the browser to enforce protections — force HTTPS, block clickjacking, stop MIME-sniffing, and restrict what scripts and resources may load. They’re free, they’re a one-line change at your CDN or web server, and they matter beyond security: HTTPS is a Google ranking signal, a hijacked or defaced page destroys trust and rankings overnight, and browsers increasingly warn users away from sites that ship them insecurely. This generator builds a hardened set for you and outputs it as raw headers, nginx or Apache config. Every option is explained below.

Every option, explained

Strict-Transport-Security (HSTS)

HSTS tells the browser to only ever connect to your domain over HTTPS, defeating SSL-stripping and downgrade attacks. It has three settings:

  • max-age — how long (in seconds) the browser remembers the HTTPS-only rule. Use a long value like 31536000 (1 year) or 63072000 (2 years). Start shorter if you’re cautious, then raise it.
  • includeSubDomains — applies the HTTPS-only rule to every subdomain too. Only enable once every subdomain reliably serves HTTPS, or you’ll break the ones that don’t.
  • preload — opts you into the browser-baked HSTS preload list (submitted at hstspreload.org), so the very first visit is already HTTPS. Powerful but hard to undo — requires a long max-age and includeSubDomains. Turn it on only when you’re fully committed to HTTPS everywhere.

Content-Security-Policy (CSP)

CSP is the single most effective defence against cross-site scripting (XSS): it lists exactly which sources of scripts, styles and other resources are allowed, so an injected<script>simply won’t run. This generator offers three presets:

  • Strictdefault-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. The best baseline: only your own origin, no plugins, no framing. Ideal if your scripts and styles are self-hosted.
  • Basic — a looser policy that also allows inline styles and data-URI images, for sites that need them. Weaker, but a pragmatic starting point.
  • None — omit CSP (not recommended, but available if you set it elsewhere).

Roll CSP out safely: deploy it first as Content-Security-Policy-Report-Only, which reports violations without blocking anything. Watch the reports, allow the legitimate sources it flags, then switch to the enforcing Content-Security-Policy header. To drop 'unsafe-inline' entirely, move to a per-request nonce with'strict-dynamic' — see the CSP guide.

X-Frame-Options

Stops clickjacking by controlling whether your pages can be embedded in an iframe:

  • DENY — no site may frame you (safest).
  • SAMEORIGIN — only your own origin may frame you (use if you embed your own pages).
  • none — omit it. Modern browsers honour the CSP frame-ancestors directive instead; sending both covers older browsers.

X-Content-Type-Options: nosniff

Stops the browser from second-guessing (“sniffing”) a file’s type, which can turn an uploaded image into an executable script. There’s one value — nosniff — and you should almost always send it.

Referrer-Policy

Controls how much of the referring URL is sent when a visitor clicks away. The recommended value, strict-origin-when-cross-origin, sends the full path within your own site but only the bare origin to other sites — protecting user privacy and not leaking internal URLs, while still passing enough referrer data for analytics.

Permissions-Policy

Disables powerful browser features (camera, microphone, geolocation, and ad-targeting APIs likebrowsing-topics) that your site doesn’t use, shrinking the attack surface. Toggle it on to emit a locked-down policy.

Common mistakes

  • Enabling HSTS preload before every subdomain serves HTTPS — it’s slow to reverse.
  • Shipping a strict CSP straight to enforcing mode and blocking your own scripts — always use report-only first.
  • Forgetting to actually send the headers — generating them isn’t enough; verify with the checker.

Related tools & guides

Frequently asked questions

Which headers does it generate?

HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy — as raw, nginx or Apache config.

How do I roll out CSP safely?

Deploy it as Content-Security-Policy-Report-Only first, fix the sources it flags, then switch to the enforcing header.