Why do security headers matter?

They tell the browser how to handle resource loading, framing, HTTPS, permissions, and referrer information. Even with safe server code, missing headers can leave clickjacking, MIME sniffing, and referrer exposure risks.

Can I apply strict CSP immediately?

It is better to test it in staging first. A strict CSP can block inline styles, third-party scripts, ads, analytics, and fonts, so confirm that important pages still work before deploying it broadly.

When should I enable HSTS preload?

Use preload only when every subdomain is stable on HTTPS and you are comfortable with a long-lived commitment. A wrong preload setup can be difficult to undo after browsers pick it up.

Are my settings uploaded?

No. Security header generation runs inside your browser. Selected headers, report URI values, and generated server snippets are not sent to or stored by berryfy.

Security headers generator

Choose web security headers such as CSP, HSTS, X-Frame-Options, and Referrer-Policy, then copy them as raw headers, nginx, Apache, or Cloudflare snippets.

Security headers settings

Choose security headers and the server snippet format for your site.

PresetOutput format

Headers to include

Content-Security-PolicyRestrict resource loading to trusted sourcesStrict-Transport-SecurityTell browsers to prefer HTTPSX-Frame-OptionsLimit embedding inside other pagesX-Content-Type-OptionsPrevent MIME type sniffingReferrer-PolicyLimit referrer information sent to other sitesPermissions-PolicyBlock camera, microphone, location, and payment by defaultCross-origin policiesSet COOP and CORP to same-origin

Frame optionReferrer policy

HSTS max-ageSeconds. 31536000 is one year, 63072000 is two years.CSP report URILeave empty to skip report-uri. Use a path like /csp-report or an https URL.

includeSubDomainsApply HSTS to subdomainspreloadPrepare for browser preload submission

Generated result

Raw headers, 6 headers

Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Content-Security-PolicyStrict-Transport-SecurityX-Frame-OptionsX-Content-Type-OptionsReferrer-PolicyPermissions-Policy

This is a baseline security header set. Test site behavior before deploying.

Prepare baseline security headers before deployment

Web security headers help browsers handle your pages more safely. CSP limits where scripts and resources can load from, HSTS keeps traffic on HTTPS, and Referrer-Policy plus Permissions-Policy reduce unnecessary data and capability exposure.

This tool converts the selected headers into raw header lines, nginx snippets, Apache snippets, or Cloudflare _headers format. The balanced preset is easier to apply to existing sites, while the strict preset shows stronger rules that should be tested before production.

Security headers can affect real site behavior, so test login, checkout, images, fonts, and third-party scripts in staging before shipping. Generation runs entirely in your browser, and your settings are not sent to berryfy.

Continue with tools that fit the same task flow.

DeveloperPassword generatorCreate a secure random password on your device and copy it in one clickOpen DeveloperUUID generatorGenerate random UUID v4 values in your browser and copy them in batchesOpen DeveloperULID generatorGenerate sortable ULIDs locally, decode their timestamp, and copy one or many IDs without uploading dataOpen