How do I fix missing security headers on Nginx?

Add add_header directives to your nginx.conf server block. HttpFixer generates the exact lines for HSTS, CSP, X-Frame-Options, and more based on your live headers.

What security headers should every site have?

At minimum: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. HttpFixer checks all of these plus Permissions-Policy, COOP, and COEP.

Does HttpFixer store my URL or headers?

No. Everything runs client-side in your browser. Your URL and headers never leave your machine.

HTTP Security & Performance

Paste your URL. HeadersFixer scans your live HTTP headers and generates stack-specific config for Nginx, Cloudflare, Vercel, Apache, and Express.

Security Headers

Scan live headers, get exact Nginx/Vercel/Cloudflare fix

CORS & CSP Fixers

Real preflight request, stack-specific middleware fix

OAuth & Webhooks

Diagnose invalid_grant, PKCE errors, webhook 401s

PageSpeed & Cache

Live PSI audit → exact cache-control config per stack

Detects missing or misconfigured security headers. Generates stack-specific fixes for Nginx, Apache, Vercel, Cloudflare, and Express.

Your URL never leaves your browser — this is a live client-side fetch

Tip: get headers with curl -sI https://your-domain.com

Detected:

About HeadersFixer

What does HeadersFixer check?

HeadersFixer fetches live HTTP response headers from your URL and checks for missing or misconfigured security headers including Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

How does stack detection work?

The tool reads the Server response header and proxy-specific headers (Cf-Ray for Cloudflare, X-Vercel-ID for Vercel, X-NF-Request-ID for Netlify) to identify your stack. Config output is then tailored to that stack — Nginx, Apache, Cloudflare, Vercel, Express, or Caddy.

Is my URL stored or logged?

No. The fetch happens client-side in your browser via a stateless Cloudflare Worker proxy. Your URL is not stored, logged, or associated with any account.

Which security headers matter most?

Strict-Transport-Security prevents downgrade attacks. Content-Security-Policy reduces XSS risk. X-Frame-Options blocks clickjacking. X-Content-Type-Options prevents MI sniffing. These four cover the most common vulnerabilities addressed by HTTP headers.

You might also need

    📊Security Headers Scorer
Score your headers 0-100 with per-header breakdown✅CSP Validator
Validate your Content Security Policy against W3C spec📋Pre-Launch Checklist
20 HTTP checks before you ship
  

Done with this tool?
20 HTTP checks before you ship — security, CORS, cache, redirects, staging.
Pre-Launch Checklist →

📖 HttpFixer Blog — fix guides, explainers, and references →