What does the header scan include?

The tool requests the URL, lists the response headers, flags risky gaps and suggests hardened values for CSP, HSTS, COOP/COEP, Referrer-Policy and Permissions-Policy.

How can I allow extra domains in the suggested Content-Security-Policy?

Use the generated policy as a starting point and append host sources (for example https://cdn.example) to the directives that need additional scripts, styles or media before deploying it.

Can I export the recommendations for later review?

Yes. Copy the Apache or Nginx snippets with one click or download the JSON report to attach it to change-management tickets.

← SeguridadSecurity

HTTP Headers & CSP BuilderHTTP Headers & CSP Builder

Detecta cabeceras y genera CSP/HSTS con snippets Apache y Nginx. El resultado se revela tras la animación. Detect headers and generate CSP/HSTS with Apache & Nginx snippets. Result reveals after the animation.

ConsultaLookup

ResultadoOutput

Hardening playbook for headers and CSP Playbook de endurecimiento para cabeceras y CSP

Secure landing pages, dashboards and marketing microsites with a repeatable checklist that meets SEO and compliance requirements. Protege landings, dashboards y micrositios de marketing con un checklist repetible que cumple requisitos de SEO y compliance.

Audit existing responses to confirm HSTS, X-Frame-Options, Referrer-Policy and COOP/COEP coverage. Audita respuestas existentes para confirmar cobertura de HSTS, X-Frame-Options, Referrer-Policy y COOP/COEP.
Generate strict CSP directives that still allow trusted analytics, tag managers and media CDNs. Genera directivas CSP estrictas que sigan permitiendo analítica, tag managers y CDNs confiables.
Export server-ready snippets for Apache/Nginx and share JSON logs with engineering workflows. Exporta snippets listos para Apache/Nginx y comparte logs JSON con flujos de ingeniería.

Implementation checklist Checklist de implementación

Run the tool with production URLs and staging domains to detect mismatches. Ejecuta la herramienta con URLs de producción y dominios de staging para detectar discrepancias.
Document required script/style sources before deploying CSP to avoid broken experiences. Documenta las fuentes de script/estilos necesarias antes de desplegar CSP y evitar experiencias rotas.
Monitor browser console reports and security headers after publishing to ensure the policy loads correctly. Monitorea reportes de consola y cabeceras de seguridad tras publicar para asegurarte de que la política cargue correctamente.