HTTP Security Header Checker
Instantly analyze your website's security headers. Get a grade and specific fix recommendations. No signup required.
What are HTTP Security Headers?
HTTP security headers are directives sent by your web server that tell the browser how to handle your site's content. They protect against common web attacks including cross-site scripting (XSS), clickjacking, MIME sniffing, and man-in-the-middle attacks. Missing security headers are one of the most common, and easiest to fix, security issues on the web.
Which Headers Does This Tool Check?
- Strict-Transport-Security (HSTS): forces HTTPS, prevents downgrade attacks
- Content-Security-Policy (CSP): controls resource loading, mitigates XSS
- X-Content-Type-Options: prevents MIME sniffing
- X-Frame-Options: prevents clickjacking
- Referrer-Policy: controls referrer information leakage
- Permissions-Policy: restricts browser feature access
- Server / X-Powered-By: information disclosure checks
Frequently Asked Questions
What security headers should every website have?
Every website should have: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
How do I add security headers to my website?
Security headers are set by your web server or framework. In Nginx, use add_header directives. In Apache, use Header set. In Next.js, configure them in middleware. In Express, use the helmet npm package.
Is this tool free?
Yes, completely free with no signup required. For a comprehensive security assessment covering XSS, SQL injection, SSRF, and 20+ more vulnerability classes, try a free CyberOrbit assessment.