Security Headers Checker
Check your website's HTTP security headers. Instant results, free.
No signup required
Instant results
Free forever
What Are HTTP Security Headers?
HTTP security headers are directives sent by your web server that tell browsers how to behave when handling your site's content. They add a layer of defense against common attacks — cross-site scripting, clickjacking, data injection, protocol downgrade attacks — without requiring changes to your application code.
They're essentially free security. Adding the right headers takes minutes and blocks entire categories of attacks. Yet most websites are missing at least one critical header.
Security Headers Explained
Content-Security-Policy
Controls which resources the browser can load
XSS, data injection
Critical
Strict-Transport-Security
Forces HTTPS connections
Protocol downgrade, MITM
Critical
X-Content-Type-Options
Prevents MIME-type sniffing
Drive-by downloads
High
X-Frame-Options
Blocks framing (clickjacking)
Clickjacking attacks
High
Referrer-Policy
Controls referrer information sharing
Information leakage
Medium
Permissions-Policy
Restricts browser feature access
Feature abuse (camera, mic, geo)
Medium
Cross-Origin-Opener-Policy
Isolates browsing context
Cross-origin attacks
Medium
Cross-Origin-Resource-Policy
Controls cross-origin resource sharing
Data leaks
Medium
Want to go beyond headers? Learn how to scan your website step by step →
Why Security Headers Matter
Security headers are part of the OWASP Top 10 — specifically A05:2021 Security Misconfiguration. Missing headers are one of the most common findings in vulnerability assessments, and one of the easiest to fix.
Want to learn how to scan your website step by step? Read our guide →
Beyond Headers — Full Vulnerability Scanning
Security headers protect against specific attack vectors. But they don't protect against SQL injection, broken authentication, API vulnerabilities, or business logic flaws.
To find those, you need a vulnerability scanner that tests your entire application — not just its headers.
Scan Your Website for All VulnerabilitiesAI-powered scanner. OWASP Top 10 coverage. Proof-of-concept for every finding. Results in ~12 minutes. Free to start.
Frequently Asked Questions
Everything you need to know about security headers.
Is this security headers checker free?
Yes, completely free. No signup, no email required. You can also download a PDF report for free.
What security headers should every website have?
At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. These cover the most critical attack vectors.
How do I add security headers to my website?
It depends on your web server. Our tool provides copy-paste configuration snippets for nginx, Apache, Cloudflare, Vercel, Netlify, and Node.js/Express. Most headers can be added in under 5 minutes.
Are security headers enough to secure my website?
No. Security headers are an important layer of defense, but they don't protect against vulnerabilities like SQL injection, authentication flaws, or API issues. For comprehensive security testing, use a vulnerability scanner.
Does checking security headers affect my website?
No. The check sends a single HTTP request to your URL and reads the response headers. It doesn't modify anything or generate significant traffic.
What does each security header grade mean?
A+ means all critical and recommended headers are present and correctly configured. A-B means most headers are present with minor gaps. C means several important headers are missing. D-F means critical headers are absent.