securityheaders.fyi

Security headers reference

What each HTTP security header does, its options, and how it's scored. Open the builder →

Transport

Strict-Transport-Security

Force browsers to use HTTPS for your whole domain.

Content Security Policy

Content-Security-Policy

Whitelist what can load and run — your strongest anti-XSS control.

Framing

X-Frame-Options

Stop your pages from being framed (clickjacking).

MIME sniffing

X-Content-Type-Options

Stop browsers from MIME-sniffing responses.

Referrer

Referrer-Policy

Control how much URL info leaks in the Referer header.

Permissions

Permissions-Policy

Disable powerful browser features you don’t use.

Cross-origin isolation

Cross-Origin-Opener-Policy

Isolate your browsing context from cross-origin windows.

Cross-Origin-Embedder-Policy

Require cross-origin resources to opt in to being embedded.

Cross-Origin-Resource-Policy

Limit which origins may embed this resource.

Legacy & misc

X-Permitted-Cross-Domain-Policies

Block Adobe Flash/PDF cross-domain policy files.

X-XSS-Protection

Disable the buggy legacy XSS auditor.