Free Online Tool
HTTP-Security-Header-Checker
Füge eine beliebige öffentliche URL ein und erhalte sofort eine Sicherheitsbewertung. Wir analysieren 8 kritische Antwort-Header, die vor XSS, Clickjacking, SSL-Stripping und MIME-Sniffing schützen – samt einsetzbarer Server-Direktiven für jeden fehlenden oder falsch konfigurierten Header.
Works with any public URL - we send a HEAD request server-side and analyze the response headers.
8 security headers
Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.
Instant grading
Score from 0–100% with a letter grade (A+…F) weighted by header importance.
Fix guidance included
Every failing header includes an explanation and a ready-to-paste server directive.
Warum HTTP-Security-Header wichtig sind
HTTP-Security-Header sind serverseitige Direktiven, die in jeder Antwort gesendet werden und dem Browser vorgeben, wie er mit deinen Inhalten umgehen soll. Content-Security-Policy blockiert das Einschleusen von Inline-Skripten; Strict-Transport-Security verhindert SSL-Stripping; X-Frame-Options stoppt Clickjacking; X-Content-Type-Options verhindert MIME-Confusion-Angriffe. Falsch konfigurierte oder fehlende Header gehören zu den häufigsten Problemen in Web-Sicherheitsaudits.
The most impactful header for modern web apps is Content-Security-Policy. A properly configured CSP with script nonces removes the entire class of reflected and stored XSS vulnerabilities - regardless of whether your application has a bug. Combined with Strict-Transport-Security (which permanently upgrades all connections to HTTPS), these two headers alone eliminate a significant portion of the OWASP Top 10.
Server configuration snippets for Nginx, Apache, and Vercel/Next.js are shown inline for every failing header. For a deeper treatment of how CSP nonces work and how to deploy them without breaking your site, see our full guide on browser security fundamentals.
Security headers at a glance
| Header | Importance |
|---|---|
| Strict-Transport-Security | Critical |
| Content-Security-Policy | Critical |
| X-Frame-Options | High |
| X-Content-Type-Options | High |
| Referrer-Policy | Medium |
| Permissions-Policy | Medium |
Frequently asked questions
What is an HTTP security header?
An HTTP security header is a key-value pair sent by your server in an HTTP response, before the page body. Headers like Content-Security-Policy and Strict-Transport-Security instruct the browser to enforce security rules - blocking inline scripts, forcing HTTPS, preventing clickjacking - without any JavaScript on your page.
Why is my CSP grade failing even though I have a Content-Security-Policy header?
A CSP containing 'unsafe-inline' or 'unsafe-eval' allows browsers to run arbitrary inline scripts, which defeats most of its XSS protection. Our checker flags these as 'WEAK'. To pass, remove unsafe-inline and use script nonces or hashes instead.
How do I add security headers on my server?
On Nginx: add header directives inside your server {} or location {} block. On Apache: use Header set directives in .htaccess or httpd.conf. On Vercel/Next.js: add a headers() function in next.config.ts. On Cloudflare: use Transform Rules or a Worker to inject headers on every response.
Does this tool check all headers or only security headers?
We focus on the 8 headers with direct security impact: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cache-Control. The 'View all raw headers' panel shows every header returned by the server.
Is my URL stored or logged?
No. We send a HEAD request to your URL and return the headers to your browser. The URL is not persisted in any database. You can verify this by watching the Network panel in your browser DevTools.