Security Headers Cheat Sheet

Common HTTP security header descriptions and one-click copy examples.

Common security response header examples; configure one stack (Nginx / CDN / framework).

HSTS

Force HTTPS (one-year max-age)

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options

Disable MIME sniffing

X-Content-Type-Options: nosniff

X-Frame-Options

Deny embedding (same as DENY)

X-Frame-Options: DENY

Referrer-Policy

Tighten Referer

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy (sample)

Disable some sensitive APIs

Permissions-Policy: camera=(), microphone=(), geolocation=()