My Tools Garage

Security Headers Builder

Generate HTTP security headers for any server.

in-browser

How to use

  1. 1 Choose your server format: nginx, Apache, Caddy or plain HTTP.
  2. 2 Toggle the headers you want and set the HSTS max-age.
  3. 3 Pick X-Frame-Options and a Referrer-Policy value.
  4. 4 Copy the generated configuration into your server config.

About Security Headers Builder

The Security Headers Builder turns a handful of plain-language choices into a ready-to-paste set of HTTP response headers that harden any website against common attacks.

Modern browsers enforce a powerful set of defences, but only if your server actually sends the right headers, and the exact syntax differs between nginx, Apache and Caddy.

This tool generates the recommended baseline for you and renders it in the format your server expects, so you can copy it straight into a config file.

The headers it covers are the ones security scanners and hardening guides ask for: Strict-Transport-Security (HSTS) to force HTTPS, with optional includeSubDomains and preload flags and a configurable max-age; a sensible starter Content-Security-Policy that locks scripts and objects down to your own origin; X-Frame-Options to stop clickjacking; X-Content-Type-Options to block MIME sniffing; a privacy-conscious Referrer-Policy; and a locked-down Permissions-Policy that disables camera, microphone, geolocation and FLoC by default.

Each one can be toggled on or off so you only emit what you need.

Treat the Content-Security-Policy as a starting point and tighten it for your own scripts and assets before going live.

Everything is generated locally in your browser; no configuration is uploaded or stored, so you can build headers for internal or production systems with confidence, and copy the result with one click.

FAQ

Is the generated Content-Security-Policy production-ready?

It is a safe starting point that restricts scripts and objects to your own origin. Review and tighten it for the exact scripts, styles and assets your site loads before deploying.

What does the preload flag on HSTS do?

It signals that you want your domain added to the browser HSTS preload list. Only enable it once you are sure every subdomain serves HTTPS, because removal is slow.

Does this tool send my configuration anywhere?

No. The headers are assembled entirely in your browser with JavaScript. Nothing is uploaded, logged or stored.