securityheaders.fyi
Toggle the HTTP security headers you want, watch your grade update live, and copy the ready-to-paste config for nginx, Caddy, Apache, or Express.
Transport
HSTS tells the browser to only ever connect to your site over HTTPS for the next max-age seconds — even if a user types http:// or follows a plain-HTTP link. This shuts down SSL-stripping man-in-the-middle attacks. Send it only over HTTPS. Use includeSubDomains once every subdomain serves HTTPS, and preload only when you're ready to be hard-coded into browsers' preload lists (removal is slow). MDN
Content Security Policy
CSP is an allowlist for the resources a page may load and execute (scripts, styles, images, frames, connections…). A tight policy is the most effective defense against cross-site scripting and injection: even if an attacker injects markup, the browser refuses to run scripts that aren't allowed. The strong baseline is default-src 'self' plus object-src 'none', base-uri 'self', and frame-ancestors 'none'. Avoid 'unsafe-inline'/'unsafe-eval' in script-src — prefer nonces or hashes. Test first with Report-Only mode, which reports violations without blocking. MDN
Framing
X-Frame-Options controls whether a browser may render your page inside a <frame>, <iframe>, <embed>, or <object> — the basis of clickjacking. DENY blocks all framing; SAMEORIGIN allows only your own origin. It's the legacy mechanism: the modern equivalent is CSP frame-ancestors, which is more flexible and respected by current browsers. Send both for the widest coverage. MDN
MIME sniffing
Set to nosniff, this stops browsers from second-guessing the declared Content-Type and "sniffing" a response into something executable — e.g. treating an uploaded text file as JavaScript. It also enforces that scripts and stylesheets are served with the right type. There's exactly one valid value: nosniff. MDN
Referrer
Referrer-Policy decides how much of the current URL is sent in the Referer header when users navigate or fetch resources. Leaky values can expose paths, query strings, or tokens to third parties. strict-origin-when-cross-origin (the modern browser default) sends the full URL to same-origin destinations but only the origin cross-origin, and nothing when downgrading HTTPS→HTTP. no-referrer is the most private. MDN
Permissions
Permissions-Policy (formerly Feature-Policy) lets you switch off browser features your site doesn't need — camera, microphone, geolocation, payment, USB, and more — so injected or embedded content can't abuse them. Each feature listed with an empty allowlist () is disabled for everyone, including your own origin. Toggle on the features you want to deny below. MDN
Cross-origin isolation
COOP severs the link between your page and any cross-origin window that opened it (or that it opens), so they can't reference each other via window.opener. same-origin gives the strongest isolation and, paired with COEP, enables crossOriginIsolated (needed for SharedArrayBuffer and precise timers) while mitigating Spectre-style cross-origin leaks. Use same-origin-allow-popups if you rely on OAuth-style popups. MDN
COEP makes your document refuse to load cross-origin resources unless they explicitly grant permission (via CORP or CORS). require-corp enforces this; credentialless is a lighter variant that loads no-CORS resources without credentials. Combined with COOP same-origin, it unlocks crossOriginIsolated. It can break third-party embeds that don't send the right headers, so it's off by default here — enable deliberately. MDN
CORP lets a resource declare who is allowed to embed it, blocking cross-origin reads that fuel side-channel attacks (Spectre) and resource theft. same-origin allows only your own origin; same-site allows your whole site; cross-origin permits anyone (use for public assets like fonts or a CDN). Apply same-origin to sensitive responses. MDN
Legacy & misc
This header controls whether Adobe clients (historically Flash and Acrobat) may load a cross-domain policy file from your site to make cross-origin requests. none forbids all such policies. Flash is dead, but the header is cheap, widely scanned for, and still relevant to some PDF/legacy clients — so most hardened configs set none. MDN
The old browser "XSS auditor" this header controlled was itself a source of vulnerabilities and has been removed from modern browsers. Current best practice — and what security scanners expect — is to send 0, which explicitly disables it, and rely on a strong Content-Security-Policy instead. Don't use 1; mode=block. MDN
Excellent — a hardened, complete header set.
Score 100 / 100 ·
Grading: the six core headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) total 100 points; the cross-origin isolation and legacy headers add small bonuses, capped at 100. It scores the configuration you build — it does not fetch any live site.