Security Headers Recommendation
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste response headers and click “Recommend”. It suggests values for missing security headers.
Notes (this tool)
- Recommended values are generic baselines. Tune them to your app’s actual loading requirements.
- Initial deployment can block resources unexpectedly; use staged rollout with log monitoring.
About this page
What does this tool do?
Detects missing security headers and suggests minimum recommended values.
Debugging workflow (recommended)
- Paste response headers to see recommendations
- Verify details with individual Inspect tools
- Apply gradually in production
Recommendations (practical)
- Prioritize CSP and HSTS
- Use Referrer-Policy and X-Frame-Options
- Disable unused features with Permissions-Policy
Related tools
- Security Headers Audit
- CSP Inspect
- HSTS Inspect
- Permissions-Policy Inspect
- Referrer-Policy Inspect
- X-Frame-Options Inspect
What this tool does
- Identify missing headers
- Suggest recommended values (examples)
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- MDN: Security headers
- RFC 9110 (HTTP Semantics)
FAQ
Are recommended values universal for all sites?
No. Optimal values depend on app architecture, CDN, and embedding requirements. Use defaults as a baseline, then tune per environment.
Where should legacy systems start?
Begin with low-compatibility-risk headers, and deploy CSP with Report-Only validation before enforcement.
References
Page-specific case studies
This page translates audit findings into concrete next header settings and rollout order.
- Identify missing headers that can be adopted immediately.
- Separate high-impact items before rollout.
- Template recommended values for reuse across services.
Page-specific implementation checklist
- Record acceptance or rejection rationale for each recommendation.
- Roll out in phases: Report-Only first, enforcement second.
- Assign clear ownership per security header.
- Document validation outcomes for future reuse.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- Security Headers Fix Plan — Create a prioritized header-fix plan
- Security Headers Audit — Audit presence of major security headers
- CSP Builder — Build CSP policies from templates
- CSP Inspect — Parse and evaluate CSP directives
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Audit — Audit presence of major security headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Builder — Build CSP policies from templates
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff