Free Online Tool
Comprobador de cabeceras de seguridad HTTP
Pega cualquier URL pública y obtén una calificación de seguridad instantánea. Analizamos 8 cabeceras de respuesta críticas que protegen contra XSS, clickjacking, SSL stripping y MIME sniffing — con directivas de servidor listas para copiar.
Works with any public URL — we send a HEAD request server-side and analyze the response headers.
8 security headers
Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.
Instant grading
Score from 0–100% with a letter grade (A+…F) weighted by header importance.
Fix guidance included
Every failing header includes an explanation and a ready-to-paste server directive.
Por qué importan las cabeceras de seguridad HTTP
Las cabeceras de seguridad HTTP son directivas del lado del servidor enviadas en cada respuesta que indican al navegador cómo comportarse con tu contenido. Content-Security-Policy bloquea la inyección de scripts; Strict-Transport-Security previene el SSL stripping; X-Frame-Options detiene el clickjacking; X-Content-Type-Options previene ataques de confusión MIME. Las cabeceras mal configuradas o ausentes son uno de los problemas más comunes en las auditorías de seguridad web.
The most impactful header for modern web apps is Content-Security-Policy. A properly configured CSP with script nonces removes the entire class of reflected and stored XSS vulnerabilities — regardless of whether your application has a bug. Combined with Strict-Transport-Security (which permanently upgrades all connections to HTTPS), these two headers alone eliminate a significant portion of the OWASP Top 10.
Server configuration snippets for Nginx, Apache, and Vercel/Next.js are shown inline for every failing header. For a deeper treatment of how CSP nonces work and how to deploy them without breaking your site, see our full guide on browser security fundamentals.
Security headers at a glance
| Header | Importance |
|---|---|
| Strict-Transport-Security | Critical |
| Content-Security-Policy | Critical |
| X-Frame-Options | High |
| X-Content-Type-Options | High |
| Referrer-Policy | Medium |
| Permissions-Policy | Medium |
Frequently asked questions
What is an HTTP security header?
An HTTP security header is a key-value pair sent by your server in an HTTP response, before the page body. Headers like Content-Security-Policy and Strict-Transport-Security instruct the browser to enforce security rules — blocking inline scripts, forcing HTTPS, preventing clickjacking — without any JavaScript on your page.
Why is my CSP grade failing even though I have a Content-Security-Policy header?
A CSP containing 'unsafe-inline' or 'unsafe-eval' allows browsers to run arbitrary inline scripts, which defeats most of its XSS protection. Our checker flags these as 'WEAK'. To pass, remove unsafe-inline and use script nonces or hashes instead.
How do I add security headers on my server?
On Nginx: add header directives inside your server {} or location {} block. On Apache: use Header set directives in .htaccess or httpd.conf. On Vercel/Next.js: add a headers() function in next.config.ts. On Cloudflare: use Transform Rules or a Worker to inject headers on every response.
Does this tool check all headers or only security headers?
We focus on the 8 headers with direct security impact: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cache-Control. The 'View all raw headers' panel shows every header returned by the server.
Is my URL stored or logged?
No. We send a HEAD request to your URL and return the headers to your browser. The URL is not persisted in any database. You can verify this by watching the Network panel in your browser DevTools.