Security headers builder

Pick a CSP profile and the features you want disabled. We emit a full set of response headers to drop in your Caddy / nginx / Cloudflare config.

Configuration

CSP profile

Emit as Content-Security-Policy-Report-Only (test without enforcement)

HSTS

1 year2 yearsincludeSubDomainspreload

Permissions-Policy — features to disable

Response headers

7 headers

· Balanced CSP allows 'unsafe-inline' for styles (common Tailwind/inline-style pattern). Scripts are still nonce-required.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()
Cross-Origin-Opener-Policy: same-origin

Pair with the HSTS preload checker and the existing TLS scanner.