Copy · paste · reload

Security headers you can actually paste.

Copy-paste blocks for CSP, HSTS, X-Frame-Options, Permissions-Policy and more — for Nginx, Apache, Caddy and Cloudflare. One block per task, plus how to verify it.

15 recipes

• Essentials Why Your Security Headers Aren't Applying (Common Mistakes) Nginx add_header inheritance, the missing 'always' flag, duplicate headers from app + proxy, and how to debug it all with curl. 4 min →
• Essentials The Security Headers Starter Set (Copy-Paste for Any Server) The recommended HTTP security headers in one block — for Nginx, Apache, Caddy and a _headers file. Copy, reload, verify. 4 min →
• By header COOP, COEP & CORP: Cross-Origin Isolation Headers What Cross-Origin-Opener-Policy, Embedder-Policy and Resource-Policy do, when you need them (SharedArrayBuffer), and copy-paste blocks per server. 4 min →
• By header CORS Done Right: Access-Control-Allow-Origin Without the Wildcard Set CORS safely — reflect a specific allowed origin (not *), handle credentials and preflight, with copy-paste blocks for Nginx, Apache and Caddy. 4 min →
• By header A Content-Security-Policy That Won't Break Your Site (Starter) Roll out Content-Security-Policy the safe way: report-only first, then enforce. Starter policies for static and typical sites, per server. 5 min →
• By header Strict-Transport-Security (HSTS): Copy-Paste + Preload Force HTTPS with Strict-Transport-Security for Nginx, Apache, Caddy and _headers — plus the exact preload requirements and how to roll back safely. 3 min →
• By header Permissions-Policy: Disable Camera, Mic & Geolocation (Copy-Paste) Turn off browser features your site doesn't use with Permissions-Policy, for Nginx, Apache, Caddy and _headers. Copy-paste. 3 min →
• By header Referrer-Policy: Which Value to Use (Copy-Paste) Control how much referrer info leaks to other sites. The recommended Referrer-Policy value plus options, for Nginx, Apache, Caddy and _headers. 2 min →
• By header Hide Server & X-Powered-By Headers (Reduce Fingerprinting) Stop leaking your server software and version via the Server and X-Powered-By headers, on Nginx, Apache, PHP and Caddy. Copy-paste. 3 min →
• By header X-Content-Type-Options: nosniff (Copy-Paste) Stop MIME-type sniffing with X-Content-Type-Options: nosniff on Nginx, Apache, Caddy and _headers. Copy-paste. 2 min →
• By header Stop Clickjacking: X-Frame-Options & CSP frame-ancestors Prevent your site being framed. The modern CSP frame-ancestors directive plus X-Frame-Options for older browsers, per server. Copy-paste. 3 min →
• By server All Security Headers for Apache (mod_headers) A complete, copy-paste set of HTTP security headers for Apache — vhost or .htaccess — plus ServerTokens and unsetting X-Powered-By. 3 min →
• By server All Security Headers for Caddy (One Caddyfile Block) A complete, copy-paste set of HTTP security headers for a Caddy v2 site block, including removing the Server header. 2 min →
• By server Security Headers on Cloudflare (Workers & Pages _headers) Set HTTP security headers on Cloudflare — a Pages/Netlify _headers file and a Cloudflare Worker that adds headers to every response. Copy-paste. 3 min →
• By server All Security Headers for Nginx (One Server Block) A complete, copy-paste set of HTTP security headers for an Nginx server block — with server_tokens off and the add_header inheritance fix. 3 min →

The header is simple. The exact syntax for your server isn't.

Each recipe is a focused, copy-paste answer for one header — the exact block for every common server, the safe rollout for CSP, and the curl command to prove it's live.

FAQ