Tools

Web Security Headers Generator

Generate a complete set of HTTP security headers tailored to your site requirements: Content-Security-Policy, HSTS, X-Frame-Options, Permissions-Policy, COEP, COOP, and more.

Site Requirements

Single-Page App (SPA)Adds unsafe-inline/eval to CSP script-src (use nonces in production)

External Fonts (Google Fonts)Allows fonts.googleapis.com and fonts.gstatic.com

Third-party Embeds / iframesRelaxes frame-src and COEP to allow cross-origin iframes

Analytics (Google Analytics/GTM)Adds GA/GTM domains to script-src, img-src, connect-src

CDN for ImagesAllows https: in img-src for CDN-hosted images

Video Embeds (YouTube/Vimeo)Adds video platforms to frame-src, media-src

Allow this site to be embeddedSets X-Frame-Options: SAMEORIGIN and relaxes frame-ancestors

Payment APIsAllows payment API in Permissions-Policy

WebRTC (camera/microphone/ws)Allows camera, microphone in Permissions-Policy and wss: in connect-src

Custom external domains (comma-separated, optional)

100

/ 100

Strong Security

9 headers generated. Enable more options to strengthen your policy.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; frame-src 'none'; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), payment=(), camera=(), microphone=(), geolocation=(), gyroscope=(), magnetometer=(), usb=(), interest-cohort=()
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin

Header Explanations

Content-Security-Policy+30 pts

Defines approved sources for content (scripts, styles, images, etc.). Prevents XSS attacks by blocking unauthorized script execution.

Mitigates: Cross-Site Scripting (XSS), code injection, data exfiltration

X-Frame-Options+10 pts

Controls whether the page can be embedded in an iframe. Prevents clickjacking attacks.

Mitigates: Clickjacking, UI redressing attacks

X-Content-Type-Options+10 pts

Prevents browsers from MIME-sniffing a response away from the declared Content-Type. Stops drive-by download attacks.

Mitigates: MIME confusion attacks, drive-by downloads

Referrer-Policy+10 pts

Controls how much referrer information is sent with requests. Protects user privacy and prevents sensitive URL leakage.

Mitigates: Privacy leakage, sensitive URL exposure in referrer header

Permissions-Policy+10 pts

Controls which browser features and APIs can be used (camera, microphone, geolocation, etc.). Limits attack surface.

Mitigates: Unauthorized access to browser APIs, feature abuse

Strict-Transport-Security+15 pts

Forces HTTPS connections. Prevents protocol downgrade attacks and cookie hijacking over HTTP.

Mitigates: SSL stripping, HTTP downgrade attacks, man-in-the-middle

Cross-Origin-Embedder-Policy+5 pts

Prevents documents from loading cross-origin resources that haven't opted in. Required to enable SharedArrayBuffer and high-res timers.

Mitigates: Spectre-based side-channel attacks, cross-origin data leakage

Cross-Origin-Opener-Policy+5 pts

Isolates the browsing context group from cross-origin popups. Prevents cross-origin attacks via window references.

Mitigates: Cross-origin information leakage via window.opener

Cross-Origin-Resource-Policy+5 pts

Prevents other origins from reading your resources. Protects images and scripts from cross-site leaks.

Mitigates: Cross-site leaks, unauthorized resource inclusion