Công cụ Developer

Tạo Security Headers

Tạo HTTP security headers cho HSTS, CSP, X-Frame-Options, CORS và hơn thế — xuất cho Nginx, Apache, Express hoặc Next.js

Được tin dùng bởi hơn 10k developer

Security Headers

Info Headers

Warnings

Strict-Transport-Security (HSTS)

Forces HTTPS for all future visits

Max Age (seconds):includeSubDomainspreload

Content-Security-Policy

Restricts resource loading sources

X-Frame-Options

Prevents clickjacking attacks

X-Content-Type-Options: nosniff

Prevents MIME-type sniffing

Referrer-Policy

Controls referrer header in requests

Permissions-Policy

Controls browser features (camera, mic, location…)

X-XSS-Protection: 1; mode=block

Legacy XSS filter (deprecated in modern browsers)

CORS Headers

Control cross-origin resource sharing

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";