Which security headers belong in a baseline set?

At minimum: HSTS, X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, Permissions-Policy. In some cases: COOP/CORP/COEP.

Can I just enable a strict CSP and forget about it?

CSP must be tuned to your actual script/resource sources. A strict profile is a good starting point, but you’ll need to adapt it or you may break functionality.

Where should I apply the generated headers?

On a reverse proxy (nginx), a CDN (Cloudflare), or inside the app. Apply them to the right routes and account for environment differences.

Security Headers Generator: HSTS, CSP and more

What security headers are

Security headers are HTTP response headers that harden browser behavior (XSS, clickjacking, referrer leakage) and enforce safer defaults. This generator produces ready-to-use header sets for baseline/strict profiles.

Where they’re used

Security headers matter for public pages, SPAs, user dashboards, admin panels, payment flows, and any domain/subdomain serving HTML to a browser. In practice they’re often set at the CDN/proxy layer (Cloudflare, nginx, ingress), so they can be managed as config and regression-checked.

What this tool generates

Baseline: a safe minimum for most sites.
Strict: more restrictive defaults + a CSP example. Usually requires project-specific tuning.

Baseline vs strict

Baseline is great to quickly cover basic hygiene (HSTS, anti-clickjacking, nosniff, referrer policy). Strict goes further with tighter restrictions and a CSP example. With strict you typically need to allow your CDN/analytics domains and tune CSP to avoid breaking the frontend.

Where to set the headers

nginx / reverse proxy: convenient for an entire domain and subdomains.
Cloudflare / CDN: fast and centralized, but don’t forget different zones/subdomains.
Application code: framework middleware (when you need route-specific headers).

Common reasons “security headers don’t work”

Redirects: headers exist on the final page but are missing on 301/302 (or vice versa).
Multiple domains: www vs non-www, separate static/CDN domains — headers aren’t set everywhere.
Misaligned CSP: the frontend loads resources from domains not allowed by the policy.
Proxy overrides: one layer adds a header, another removes/replaces it.

More: baseline set and rollout tips

What’s typically in a “safe minimum”

HSTS: enforces HTTPS and reduces downgrade/SSL stripping risk.
X-Content-Type-Options: nosniff to prevent MIME sniffing.
X-Frame-Options / CSP frame-ancestors: clickjacking protection.
Referrer-Policy: reduces leakage of URLs/parameters.
Permissions-Policy: disables unnecessary browser APIs.

Where to apply headers

nginx: add_header ... always;
Cloudflare: Transform Rules / Response headers
Application: middleware/framework (Node/Java/.NET/Python)

CSP note

The strict profile CSP is a starting template. In production you typically allow required domains (CDN, analytics), use nonce/sha for inline scripts, and test with Content-Security-Policy-Report-Only first.

Security headers generator

Header profile