About — headerforge

About

Copy-paste HTTP security headers — by someone who configures web servers and got tired of re-deriving the same blocks.

Security scanners and Lighthouse keep flagging missing headers, but the fix is scattered: the right directive differs for Nginx, Apache, Caddy and Cloudflare, and small mistakes (a missing always, an add_header that wipes inherited ones) make headers silently disappear. This site collects the configs that actually work into one library — one copy-paste block per header for every common server, the safe rollout for the risky ones, and the curl command to confirm it's live.

Recipes are written for current Nginx, Apache (mod_headers), Caddy v2, and Cloudflare (Workers and Pages _headers). Header values follow current browser behaviour and the relevant specs (Fetch, CSP Level 3, RFC 6797 for HSTS).

Topics: CSP, HSTS, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP, CORS, and removing fingerprinting headers.