Security Headers Checker
Check and grade your website's HTTP security headers with actionable recommendations.
What This Tool Checks
Comprehensive analysis of critical HTTP security headers.
HSTS Detection
Checks Strict-Transport-Security header to ensure HTTPS is enforced with proper max-age and includeSubDomains.
CSP Analysis
Validates Content-Security-Policy to verify that resource loading restrictions are in place.
Clickjacking Protection
Checks X-Frame-Options and Cross-Origin policies that prevent your site from being embedded in malicious frames.
Privacy Headers
Evaluates Referrer-Policy and Permissions-Policy to protect user privacy and limit browser API access.
Cross-Origin Isolation
Checks COOP, CORP, and COEP headers for proper cross-origin isolation and resource protection.
How It Works
Three steps to grade your security headers.
Enter a URL
Type or paste any URL. The tool fetches the page and inspects all HTTP response headers.
Analyze Headers
Each security header is checked for presence and evaluated for proper configuration, receiving a grade.
Get Your Grade
View your overall A-F grade, see which headers are present or missing, and follow actionable recommendations.
Frequently Asked Questions
Common questions about web security headers.
What are HTTP security headers?
HTTP security headers are response headers that instruct browsers on how to behave when handling your site. They defend against attacks like cross-site scripting (XSS), clickjacking, MIME sniffing, and protocol downgrades. Properly configuring these headers is one of the easiest and most effective ways to improve web security.
What is a good security headers score?
A grade of A (90%+) means most critical headers are present and well-configured. Grade B (75-89%) indicates good coverage with room for improvement. Grades C and below suggest significant security headers are missing. Focus first on HSTS, CSP, X-Content-Type-Options, and X-Frame-Options.
Which security headers are most important?
The most critical headers are Strict-Transport-Security (HSTS) for enforcing HTTPS, Content-Security-Policy (CSP) for preventing XSS, X-Content-Type-Options for stopping MIME sniffing, and X-Frame-Options for preventing clickjacking. These four provide the strongest baseline protection.
How do I add security headers to my website?
Security headers are configured on your web server or CDN. In Nginx, use the add_header directive. In Apache, use the Header set directive. CDNs like Cloudflare offer security header settings in their dashboard. Many frameworks also support setting headers programmatically in their server configuration.
Related Tools
More tools to analyze your website's configuration.