All recipes

Essentials

• Why Your Security Headers Aren't Applying (Common Mistakes) 4 min →
• The Security Headers Starter Set (Copy-Paste for Any Server) 4 min →

By header

• COOP, COEP & CORP: Cross-Origin Isolation Headers 4 min →
• CORS Done Right: Access-Control-Allow-Origin Without the Wildcard 4 min →
• A Content-Security-Policy That Won't Break Your Site (Starter) 5 min →
• Strict-Transport-Security (HSTS): Copy-Paste + Preload 3 min →
• Permissions-Policy: Disable Camera, Mic & Geolocation (Copy-Paste) 3 min →
• Referrer-Policy: Which Value to Use (Copy-Paste) 2 min →
• Hide Server & X-Powered-By Headers (Reduce Fingerprinting) 3 min →
• X-Content-Type-Options: nosniff (Copy-Paste) 2 min →
• Stop Clickjacking: X-Frame-Options & CSP frame-ancestors 3 min →

By server

• All Security Headers for Apache (mod_headers) 3 min →
• All Security Headers for Caddy (One Caddyfile Block) 2 min →
• Security Headers on Cloudflare (Workers & Pages _headers) 3 min →
• All Security Headers for Nginx (One Server Block) 3 min →