Free Security Headers Generator (Nginx, Apache, Vercel)

Generate recommended HTTP security headers — HSTS, CSP, X-Frame-Options and more — with copy-paste config for Nginx, Apache and Vercel. Free, runs in your browser.

About this tool

HTTP security headers are one of the highest-value, lowest-effort hardening steps for any website — they instruct browsers to block clickjacking, enforce HTTPS, prevent MIME sniffing and restrict where scripts can load from. This free generator produces a recommended, sensible set of headers (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy) with copy-paste configuration for Nginx, Apache and Vercel.

Tune the options to your needs, copy the output straight into your server or platform config, then re-test with our website security scanner to confirm the grade. It runs entirely in your browser and is a fast way to close the gaps most scanners flag.

Frequently asked questions

Which security headers matter most?

Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to control resource loading and curb XSS, X-Frame-Options/frame-ancestors to stop clickjacking, and X-Content-Type-Options to prevent MIME sniffing are the core set.

Will adding these headers break my site?

Most are safe to add immediately. Content-Security-Policy needs care because a strict policy can block legitimate scripts — start in report-only mode, review violations, then enforce. The generator's default CSP is a conservative starting point.

Does this work for Nginx, Apache and Vercel?

Yes. The tool outputs ready-to-paste configuration for all three, so you can apply the same recommended header set regardless of how your site is served.