Recipes

Essentials2 By header9 By server4

All recipes

Copy-paste HTTP security headers, grouped by header and by server.

Essentials

Why Your Security Headers Aren't Applying (Common Mistakes)4 min
The Security Headers Starter Set (Copy-Paste for Any Server)4 min

By header

COOP, COEP & CORP: Cross-Origin Isolation Headers4 min
CORS Done Right: Access-Control-Allow-Origin Without the Wildcard4 min
A Content-Security-Policy That Won't Break Your Site (Starter)5 min
Strict-Transport-Security (HSTS): Copy-Paste + Preload3 min
Permissions-Policy: Disable Camera, Mic & Geolocation (Copy-Paste)3 min
Referrer-Policy: Which Value to Use (Copy-Paste)2 min
Hide Server & X-Powered-By Headers (Reduce Fingerprinting)3 min
X-Content-Type-Options: nosniff (Copy-Paste)2 min
Stop Clickjacking: X-Frame-Options & CSP frame-ancestors3 min

By server

All Security Headers for Apache (mod_headers)3 min
All Security Headers for Caddy (One Caddyfile Block)2 min
Security Headers on Cloudflare (Workers & Pages _headers)3 min
All Security Headers for Nginx (One Server Block)3 min

Note: some outbound links (e.g. hosting / CDN / scanners) may be affiliate links — we may earn a commission at no cost to you. See the disclosure.

About·Disclosure·Recipes

Copy-paste HTTP security headers for people who run their own web servers.