Free Security Header Checker
Analyze HTTP security headers on any website. Check CSP, HSTS, X-Frame-Options, and more with instant pass/fail results.
What Are HTTP Security Headers?
HTTP security headers are directives sent by your web server that tell browsers how to behave when handling your site's content. They form a critical defense layer against common web attacks like cross-site scripting (XSS), clickjacking, and data injection.
Headers We Check
Content-Security-Policy (CSP)
Controls which resources the browser is allowed to load. The single most effective header against XSS attacks. Defines trusted sources for scripts, styles, images, and other content.
Strict-Transport-Security (HSTS)
Forces browsers to only connect over HTTPS. Prevents SSL stripping attacks where an attacker downgrades your connection to unencrypted HTTP.
X-Frame-Options
Prevents your site from being embedded in iframes on other domains. Blocks clickjacking attacks where attackers overlay invisible frames to trick users into clicking hidden buttons.
X-Content-Type-Options
Prevents browsers from MIME-type sniffing. Without this, browsers might interpret a file as a different type, enabling content-type confusion attacks.
Referrer-Policy
Controls how much referrer information is included when navigating away from your site. Prevents leaking sensitive URL parameters to third parties.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation) can be used by your site and any embedded content.
Why Security Headers Matter
Security headers are one of the easiest and most impactful security improvements you can make. They typically require just a few lines of server configuration but protect against entire classes of attacks. Most can be added in minutes via your web server config, CDN settings, or framework middleware.
Major sites like Google, GitHub, and Cloudflare all use comprehensive security headers. If your site is missing them, you're leaving easy security wins on the table.