Security Headers Checker Tool Online

Last updated:

Scan any website's HTTP security headers. Check for HSTS, Content-Security-Policy, X-Frame-Options, Permissions-Policy, and more — with actionable recommendations for every finding.

Enter a website to scan its security headers:

How the Security Headers Checker Works

This tool inspects the HTTP response headers that a web server sends to browsers. Here's the process:

  1. Enter a URL — type or paste any website address. The tool sends an HTTP HEAD request to retrieve only the headers (no page content is downloaded).
  2. Header inspection — it checks for 10 critical security headers recommended by OWASP and major browser vendors.
  3. Evaluation — each header is evaluated: present or missing, properly configured or suboptimal, with specific recommendations for improvement.
  4. Summary — results show a pass/warn/fail breakdown with color-coded status for quick assessment.

Why Security Headers Matter

Security headers are your website's first line of defense. They cost nothing to implement and protect against the most common web attacks:

  • XSS prevention — Content-Security-Policy controls which scripts can execute on your page. Without it, attackers can inject malicious JavaScript through comments, form fields, or compromised third-party resources.
  • Clickjacking protection — X-Frame-Options and CSP frame-ancestors prevent your site from being embedded in a hidden iframe on an attacker's page, where users might unknowingly click on your site's buttons.
  • HTTPS enforcement — HSTS ensures browsers always use HTTPS, eliminating the window of vulnerability during the first HTTP request. This protects against man-in-the-middle attacks on public Wi-Fi.
  • Data leak prevention — Referrer-Policy controls what URL information is sent to third-party sites. Without it, sensitive query parameters can leak to external services.
  • Browser feature control — Permissions-Policy lets you disable browser features (camera, mic, geolocation) that your site doesn't need, reducing your attack surface.

Combine this with the SSL Certificate Checker for a complete security profile, the Redirect Checker to verify HTTPS redirects are properly configured, and the Email Deliverability Checker to verify SPF/DKIM/DMARC for your domain — email security and web security go hand in hand. Also run the PHP Version Checker to ensure your server isn't running an end-of-life PHP version, which is a common source of security vulnerabilities.

Essential Security Headers to Implement

If you're starting from scratch, prioritize these headers in order:

  • Strict-Transport-Securitymax-age=31536000; includeSubDomains — enforces HTTPS for 1 year across all subdomains.
  • Content-Security-Policy — start with default-src 'self' and add sources as needed. This single header addresses the widest range of attack vectors.
  • X-Content-Type-Optionsnosniff — one word, zero risk, prevents MIME sniffing attacks.
  • X-Frame-OptionsDENY or SAMEORIGIN — prevents clickjacking. Takes 30 seconds to add.
  • Referrer-Policystrict-origin-when-cross-origin — sensible default that shares origin but not path to third parties.
  • Permissions-Policy — disable features you don't use: camera=(), microphone=(), geolocation=()

For a broader website audit, check your meta tags, schema markup, and broken links alongside security headers for a complete health check.

Security Headers: FAQ

What are HTTP security headers?
HTTP security headers are directives sent by a web server to the browser that instruct it how to behave when handling your site's content. They control which resources can load, whether the site can be embedded in iframes, how referrer information is shared, and whether HTTPS is enforced. Properly configured security headers are a critical layer of defense against common web attacks.
What does this security headers checker test?
This tool checks 10 key security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), and Cross-Origin-Embedder-Policy (COEP). For each header, it shows whether it's present, its value, and any recommendations.
What is Content-Security-Policy (CSP)?
CSP is the most powerful security header. It tells the browser which sources of content (scripts, styles, images, fonts, etc.) are allowed to load on your page. A properly configured CSP prevents cross-site scripting (XSS) attacks by blocking inline scripts and unauthorized external resources. It's also the modern replacement for X-Frame-Options via the frame-ancestors directive.
What is HSTS and why is it important?
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS when connecting to your site. Without it, a visitor's first request might go over unencrypted HTTP before being redirected. HSTS eliminates that vulnerability window. Set max-age to at least 31536000 (1 year) and include includeSubDomains if all your subdomains support HTTPS.
Do security headers affect SEO?
Not directly, but indirectly yes. Google uses HTTPS as a ranking signal, and HSTS enforces HTTPS. A site that gets hacked due to missing security headers may be flagged with a "This site may be hacked" warning in search results, which destroys click-through rates. Additionally, browsers may show security warnings for sites missing headers like X-Content-Type-Options, which erodes user trust.
What is the difference between pass, warning, and fail?
Pass means the header is present and properly configured. Warning means the header is missing but is recommended rather than critical, or is present but with a suboptimal configuration. Fail means a critical security header is missing — these should be fixed as a priority.
Which headers are most important to fix first?
Priority order: 1) Strict-Transport-Security — enforces HTTPS. 2) Content-Security-Policy — prevents XSS. 3) X-Content-Type-Options: nosniff — prevents MIME sniffing. 4) X-Frame-Options or CSP frame-ancestors — prevents clickjacking. These four cover the most common attack vectors.
How do I add security headers to my website?
It depends on your hosting: Vercel uses vercel.json headers config, Netlify uses _headers file or netlify.toml, Apache uses .htaccess, Nginx uses add_header directives in the server block, Cloudflare has a Transform Rules feature for adding headers. Most headers are one-line additions to your server configuration.
Is this security headers checker free?
Yes. Completely free, no signup, no limits, and no ads. Built for developers, agencies, and security-conscious website owners.
Does this tool store the sites I check?
No. The tool only sends a HEAD request to check headers and returns the results. We do not store URLs, headers, or any data from the checking process.

Need Help Securing Your Website?

We help businesses implement security headers, SSL, and web security best practices.

Get in Touch 🤙