Security Headers Checker
Analyze HTTP security headers of any website. Get a security score and recommendations for improvement.
Enter a website URL above to scan its security headers
Security Headers We Check
Note: Some websites may block security header analysis due to CORS policies. For best results, ensure the target allows cross-origin requests or use this tool on sites you control.
Security Headers Checker Online
Analyze HTTP security headers for any website. Free tool to check CSP, HSTS, X-Frame-Options, and more. Get actionable security recommendations.
How It Works
Enter a website URL. Our tool fetches the HTTP response headers and evaluates them against security best practices. It checks for headers like Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and more, providing a grade and recommendations.
Common Use Cases
- Auditing your website's security posture before a launch or penetration test
- Checking if critical headers like HSTS and CSP are properly configured
- Comparing your security headers against industry best practices
- Identifying missing headers that could expose your site to XSS or clickjacking
Frequently Asked Questions
HTTP security headers are directives sent by a web server in the response. They tell the browser how to behave when handling the site's content, protecting against attacks like XSS and clickjacking.
Content-Security-Policy (CSP) is widely considered the most impactful, as it controls which resources the browser is allowed to load, preventing XSS attacks.
No, this tool only checks HTTP response headers. A full security audit should also include code review, dependency scanning, and penetration testing.
The critical headers are: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
CSP tells the browser which content sources are trusted, preventing XSS attacks by blocking unauthorized scripts, styles, and other resources from loading.
A strong HSTS header is: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. This enforces HTTPS for one year across all subdomains.
Add 'X-Frame-Options: DENY' (blocks all framing) or 'X-Frame-Options: SAMEORIGIN' (allows only same-domain framing) to your server's response headers.