Copy · paste · reload
Security headers you can actually paste.
Copy-paste blocks for every HTTP security header — Content-Security-Policy,
Strict-Transport-Security, X-Frame-Options, Permissions-Policy
and more — for Nginx, Apache, Caddy and Cloudflare. One block per task, plus how to verify it.
15 recipes
- Essentials Why Your Security Headers Aren't Applying (Common Mistakes) Nginx add_header inheritance, the missing 'always' flag, duplicate headers from app + proxy, and how to debug it all with curl.
- Essentials The Security Headers Starter Set (Copy-Paste for Any Server) The recommended HTTP security headers in one block — for Nginx, Apache, Caddy and a _headers file. Copy, reload, verify.
- By header COOP, COEP & CORP: Cross-Origin Isolation Headers What Cross-Origin-Opener-Policy, Embedder-Policy and Resource-Policy do, when you need them (SharedArrayBuffer), and copy-paste blocks per server.
- By header CORS Done Right: Access-Control-Allow-Origin Without the Wildcard Set CORS safely — reflect a specific allowed origin (not *), handle credentials and preflight, with copy-paste blocks for Nginx, Apache and Caddy.
- By header A Content-Security-Policy That Won't Break Your Site (Starter) Roll out Content-Security-Policy the safe way: report-only first, then enforce. Starter policies for static and typical sites, per server.
- By header Strict-Transport-Security (HSTS): Copy-Paste + Preload Force HTTPS with Strict-Transport-Security for Nginx, Apache, Caddy and _headers — plus the exact preload requirements and how to roll back safely.
- By header Permissions-Policy: Disable Camera, Mic & Geolocation (Copy-Paste) Turn off browser features your site doesn't use with Permissions-Policy, for Nginx, Apache, Caddy and _headers. Copy-paste.
- By header Referrer-Policy: Which Value to Use (Copy-Paste) Control how much referrer info leaks to other sites. The recommended Referrer-Policy value plus options, for Nginx, Apache, Caddy and _headers.
- By header Hide Server & X-Powered-By Headers (Reduce Fingerprinting) Stop leaking your server software and version via the Server and X-Powered-By headers, on Nginx, Apache, PHP and Caddy. Copy-paste.
- By header X-Content-Type-Options: nosniff (Copy-Paste) Stop MIME-type sniffing with X-Content-Type-Options: nosniff on Nginx, Apache, Caddy and _headers. Copy-paste.
- By header Stop Clickjacking: X-Frame-Options & CSP frame-ancestors Prevent your site being framed. The modern CSP frame-ancestors directive plus X-Frame-Options for older browsers, per server. Copy-paste.
- By server All Security Headers for Apache (mod_headers) A complete, copy-paste set of HTTP security headers for Apache — vhost or .htaccess — plus ServerTokens and unsetting X-Powered-By.
- By server All Security Headers for Caddy (One Caddyfile Block) A complete, copy-paste set of HTTP security headers for a Caddy v2 site block, including removing the Server header.
- By server Security Headers on Cloudflare (Workers & Pages _headers) Set HTTP security headers on Cloudflare — a Pages/Netlify _headers file and a Cloudflare Worker that adds headers to every response. Copy-paste.
- By server All Security Headers for Nginx (One Server Block) A complete, copy-paste set of HTTP security headers for an Nginx server block — with server_tokens off and the add_header inheritance fix.
Why this exists
The header is simple. The exact syntax for your server isn't.
You know you want Strict-Transport-Security or a sane Content-Security-Policy —
but is it add_header with always, Header always set, a
Caddyfile directive, or a _headers line? And why did your Nginx header vanish
the moment you added another one? headerforge.pages.dev answers exactly that: one
copy-paste block per header for every common server, the safe rollout for the risky ones (CSP), and
the curl command to prove it's live.
How it works
Pick the header, copy your server's block, verify
- Pick a recipe. Browse by header or by server in the full recipe list.
- Copy the block for your stack. Each recipe has Nginx, Apache, Caddy and Cloudflare variants with one-click copy.
- Reload and verify. Every recipe ends with the
curl -Icommand to confirm the header is being sent.
FAQ
Frequently asked questions
Are these header configs free?
Yes. Every recipe on headerforge.pages.dev is free to read and copy, with no account, paywall, or sign-up. Some outbound links (for example to hosting or CDN providers) may be affiliate links, which never change the price you pay.
Where do these headers go?
In your web server or platform config: an Nginx server block, an Apache .htaccess / vhost with mod_headers, a Caddyfile, a Cloudflare Worker, or a Cloudflare Pages / Netlify _headers file. Each recipe shows the exact block for every server, and there are per-server "all headers" pages too.
Will adding a Content-Security-Policy break my site?
It can if you go strict too fast. The CSP recipe shows you how to deploy Content-Security-Policy-Report-Only first, watch what it would block, then switch to the enforcing header once it is clean — so nothing breaks for users.
My Nginx add_header isn't working — why?
Nginx does not inherit add_header into a block that defines its own add_header directives, and headers on error responses need the "always" flag. This is the #1 reason headers silently disappear; the "common mistakes" recipe covers it with fixes.
How do I check which headers I'm actually sending?
Run "curl -I https://yourdomain" (or "curl -sI ... | grep -i <header>") to see the live response headers, or use a public scanner. Every recipe ends with the exact curl command to verify the header is present and correct.
Do I need all of these headers?
Start with the high-impact ones: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options and X-Frame-Options. The "starter set" recipe gives you all the recommended headers in one copy-paste block per server.