Security Headers Checker Tool Online

Last updated:

Scan any website's HTTP security headers. Check for HSTS, Content-Security-Policy, X-Frame-Options, Permissions-Policy, and more, with actionable recommendations for every finding.

Enter a website to scan its security headers:

How the Security Headers Checker Works

This tool inspects the HTTP response headers that a web server sends to browsers. Here's the process:

  1. Enter a URL, type or paste any website address. The tool sends an HTTP HEAD request to retrieve only the headers (no page content is downloaded).
  2. Header inspection, it checks for 10 critical security headers recommended by OWASP and major browser vendors.
  3. Evaluation, each header is evaluated: present or missing, properly configured or suboptimal, with specific recommendations for improvement.
  4. Summary, results show a pass/warn/fail breakdown with color-coded status for quick assessment.

Why Security Headers Matter

Security headers are your website's first line of defense. They cost nothing to implement and protect against the most common web attacks:

  • XSS prevention, Content-Security-Policy controls which scripts can execute on your page. Without it, attackers can inject malicious JavaScript through comments, form fields, or compromised third-party resources.
  • Clickjacking protection, X-Frame-Options and CSP frame-ancestors prevent your site from being embedded in a hidden iframe on an attacker's page, where users might unknowingly click on your site's buttons.
  • HTTPS enforcement, HSTS ensures browsers always use HTTPS, eliminating the window of vulnerability during the first HTTP request. This protects against man-in-the-middle attacks on public Wi-Fi.
  • Data leak prevention, Referrer-Policy controls what URL information is sent to third-party sites. Without it, sensitive query parameters can leak to external services.
  • Browser feature control, Permissions-Policy lets you disable browser features (camera, mic, geolocation) that your site doesn't need, reducing your attack surface.

Combine this with the SSL Certificate Checker for a complete security profile, the Redirect Checker to verify HTTPS redirects are properly configured, and the Email Deliverability Checker to verify SPF/DKIM/DMARC for your domain, email security and web security go hand in hand. Also run the PHP Version Checker to ensure your server isn't running an end-of-life PHP version, which is a common source of security vulnerabilities.

Essential Security Headers to Implement

If you're starting from scratch, prioritize these headers in order:

  • Strict-Transport-Security, max-age=31536000; includeSubDomains, enforces HTTPS for 1 year across all subdomains.
  • Content-Security-Policy, start with default-src 'self' and add sources as needed. This single header addresses the widest range of attack vectors.
  • X-Content-Type-Options, nosniff, one word, zero risk, prevents MIME sniffing attacks.
  • X-Frame-Options, DENY or SAMEORIGIN, prevents clickjacking. Takes 30 seconds to add.
  • Referrer-Policy, strict-origin-when-cross-origin, sensible default that shares origin but not path to third parties.
  • Permissions-Policy, disable features you don't use: camera=(), microphone=(), geolocation=()

For a broader website audit, check your meta tags, schema markup, and broken links alongside security headers for a complete health check.

Key HTTP Security Headers and Recommended Values

Use this reference to understand what each core security header does and a sensible value to start with. Adjust the exact directives to fit your site, but these defaults are a safe, widely recommended baseline.

Header Purpose Recommended value
Strict-Transport-Security Forces browsers to connect over HTTPS only, eliminating the insecure first request. max-age=31536000; includeSubDomains
Content-Security-Policy Restricts which scripts, styles, and other resources can load, the strongest defense against XSS. default-src 'self' (then add trusted sources as needed)
X-Content-Type-Options Stops browsers from MIME-sniffing a response away from its declared content type. nosniff
X-Frame-Options Prevents your pages from being embedded in iframes, defending against clickjacking. SAMEORIGIN (or DENY)
Referrer-Policy Controls how much referrer information is sent to other sites, limiting data leakage. strict-origin-when-cross-origin
Permissions-Policy Disables powerful browser features (camera, mic, geolocation) your site doesn't use. camera=(), microphone=(), geolocation=()

Next steps

Security Headers Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

WordPress REST API Exposure Checker Tool Online

WP REST API Exposure Checker

 WordPress Version Exposure Checker Tool Online

WordPress Version Checker

 WordPress XML-RPC Exposure Checker Tool Online

XML-RPC Exposure Checker

 WordPress vs Astro: Which Is Better for Business in 2026?

WordPress vs Astro: Which Is Better for Business in 2026?

 Benefits of Static Websites: Speed, Security, and SEO in 2026

Benefits of Static Websites: Speed, Security, and SEO in 2026

 Static vs Dynamic Websites: Differences and Which to Choose

Static vs Dynamic Websites: Differences and Which to Choose

Security Headers: FAQ

What are HTTP security headers?
HTTP security headers are directives sent by a web server to the browser that instruct it how to behave when handling your site's content. They control which resources can load, whether the site can be embedded in iframes, how referrer information is shared, and whether HTTPS is enforced. Properly configured security headers are a critical layer of defense against common web attacks.
What does this security headers checker test?
This tool checks 10 key security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), and Cross-Origin-Embedder-Policy (COEP). For each header, it shows whether it's present, its value, and any recommendations.
What is Content-Security-Policy (CSP)?
CSP is the most powerful security header. It tells the browser which sources of content (scripts, styles, images, fonts, etc.) are allowed to load on your page. A properly configured CSP prevents cross-site scripting (XSS) attacks by blocking inline scripts and unauthorized external resources. It's also the modern replacement for X-Frame-Options via the frame-ancestors directive.
What is HSTS and why is it important?
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS when connecting to your site. Without it, a visitor's first request might go over unencrypted HTTP before being redirected. HSTS eliminates that vulnerability window. Set max-age to at least 31536000 (1 year) and include includeSubDomains if all your subdomains support HTTPS.
Do security headers affect SEO?
Not directly, but indirectly yes. Google uses HTTPS as a ranking signal, and HSTS enforces HTTPS. A site that gets hacked due to missing security headers may be flagged with a "This site may be hacked" warning in search results, which destroys click-through rates. Additionally, browsers may show security warnings for sites missing headers like X-Content-Type-Options, which erodes user trust.
What is the difference between pass, warning, and fail?
Pass means the header is present and properly configured. Warning means the header is missing but is recommended rather than critical, or is present but with a suboptimal configuration. Fail means a critical security header is missing, these should be fixed as a priority.
Which headers are most important to fix first?
Priority order: 1) Strict-Transport-Security, enforces HTTPS. 2) Content-Security-Policy, prevents XSS. 3) X-Content-Type-Options: nosniff, prevents MIME sniffing. 4) X-Frame-Options or CSP frame-ancestors, prevents clickjacking. These four cover the most common attack vectors.
How do I add security headers to my website?
It depends on your hosting: Vercel uses vercel.json headers config, Netlify uses _headers file or netlify.toml, Apache uses .htaccess, Nginx uses add_header directives in the server block, Cloudflare has a Transform Rules feature for adding headers. Most headers are one-line additions to your server configuration.
Is this security headers checker free?
Yes. Completely free, no signup, no limits, and no ads. Built for developers, agencies, and security-conscious website owners.
Why does a site I trust still fail some header checks?
A failing or missing header does not mean a site is hacked, it means a recommended defense layer is not in place. Some sites intentionally omit headers like Content-Security-Policy because a strict policy can break third-party scripts if it is not configured carefully. Treat fails as a prioritized to-do list: start with Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options, then add the rest as you verify they don't break functionality.
Does this tool store the sites I check?
No. The tool only sends a HEAD request to check headers and returns the results. We do not store URLs, headers, or any data from the checking process.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Get My Free Audit 💪

Need Help Securing Your Website?

We help businesses implement security headers, SSL, and web security best practices.

See Maintenance Plans 🤙