← back to tools

Security Headers Builder

Generate copy-paste headers that fix critical SEO audit flags instantly.

Quick Presets:
Configure Headers
Content-Security-Policy Critical
Allowed Script Sources
Restricts which domains can run JS on your page. Inline scripts need 'unsafe-inline' (lower security).
Allow iframes from (embed-in)
Extra trusted domains (optional)
Space-separated. Added to script-src, img-src, connect-src.
Strict-Transport-Security Critical
max-age (seconds)
⚠ Enable preload only if ALL subdomains serve HTTPS. Hard to undo.
X-Frame-Options Critical
DENY blocks all framing (best). SAMEORIGIN allows same-domain iframes (e.g. your own embeds).
X-Content-Type-Options Recommended
Always set to nosniff. Prevents browsers from MIME-sniffing a response away from the declared content-type. No options needed.
Referrer-Policy Recommended
Controls how much referrer info is sent. strict-origin-when-cross-origin is the safe default.
Permissions-Policy Recommended
Disable these browser APIs
Cross-Origin-Resource-Policy Optional
Prevents other sites from loading your resources cross-origin. Use cross-origin for public CDN assets.
0
Security Score
Enable headers to build your score
Output Platform
Select a platform and enable headers to generate code.
Copied!

Why does Google PageSpeed flag missing headers?

Tools like Lighthouse, Security Headers (securityheaders.com), and GTmetrix check for CSP, HSTS, and X-Frame-Options. Missing them lowers your trust signals and can hurt E-E-A-T SEO scores.

Will a strict CSP break my site?

It can if you use inline scripts or third-party widgets. Start with report-only mode and a report-uri to catch violations before enforcing. Use the "Blog" preset for a safe starting point.

Where do I paste this on Cloudflare?

Workers & Pages → your site → Functions → add a Worker, or use the Transform Rules (HTTP Response Headers) feature for a no-code option. The Cloudflare Workers output above is copy-paste ready.

What's the HSTS preload risk?

Once submitted to browser preload lists, browsers will refuse plain HTTP connections to your domain before even contacting your server. If you ever need to drop HTTPS, you're stuck waiting months to be removed from the list.