Security Headers Checker
Check any website's HTTP security headers in seconds. Get a clear pass/fail for HSTS, Content-Security-Policy, and more — with copy-paste fixes.
This tool reads publicly available configuration (HTTP response headers). It performs no intrusive testing. Only scan domains you own or are authorized to assess.
What are HTTP security headers?
HTTP security headers are instructions a web server sends with every response telling the browser how to behave more safely — for example, to refuse to load the page in a frame, to only connect over HTTPS, or to restrict which scripts may run.
They are one of the cheapest, highest-leverage hardening steps available: most are a single line of server configuration, and together they shut down whole classes of attack such as clickjacking, protocol downgrade (SSL-strip), MIME-sniffing, and a large share of cross-site scripting (XSS) impact.
This checker reads the headers your site already returns on its homepage — exactly what any visitor's browser sees — and grades each one against current best practice. It performs no intrusive testing; it is equivalent to a single curl request.
How to fix missing security headers
Most findings are resolved by adding a response header in your web server, CDN, or application framework. Add them incrementally and re-test:
- Strict-Transport-Security: max-age=63072000; includeSubDomains; preload — forces HTTPS on every future visit.
- Content-Security-Policy: start from default-src 'self' and widen deliberately — the single biggest XSS mitigation.
- X-Content-Type-Options: nosniff — stops MIME-type confusion attacks.
- X-Frame-Options: DENY (or a CSP frame-ancestors directive) — prevents clickjacking.
- Referrer-Policy: strict-origin-when-cross-origin — stops full URLs leaking to third parties.
Frequently asked questions
Is this security headers checker free?
Yes. It is completely free and open — no account, no email, no signup. Enter a domain and get the result immediately.
Does the test perform any intrusive scanning?
No. It only reads the HTTP response headers your site already returns on a normal request — the same thing any browser receives. It is passive and equivalent to a single curl request.
Which security headers does it check?
Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy, plus cookie flags and HTTPS-redirect behaviour.
Why did my site get a warning for a missing header?
Each missing header removes a layer of defense. The result explains what each one protects against and gives the exact header value to add. Fix them, then re-scan to confirm.