Free Online Tool
Vérificateur d'en-têtes HTTP de sécurité
Collez n'importe quelle URL publique et obtenez une note de sécurité instantanée. Nous analysons 8 en-têtes de réponse critiques qui protègent contre XSS, clickjacking, SSL stripping et MIME sniffing — avec des directives serveur prêtes à l'emploi pour chaque en-tête manquant.
Works with any public URL — we send a HEAD request server-side and analyze the response headers.
8 security headers
Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.
Instant grading
Score from 0–100% with a letter grade (A+…F) weighted by header importance.
Fix guidance included
Every failing header includes an explanation and a ready-to-paste server directive.
Pourquoi les en-têtes de sécurité HTTP sont importants
Les en-têtes de sécurité HTTP sont des directives côté serveur envoyées dans chaque réponse qui indiquent au navigateur comment se comporter avec votre contenu. Content-Security-Policy bloque l'injection de scripts inline ; Strict-Transport-Security empêche le SSL stripping ; X-Frame-Options arrête le clickjacking ; X-Content-Type-Options prévient les attaques de confusion MIME. Les en-têtes mal configurés ou absents sont l'un des problèmes les plus courants dans les audits de sécurité web.
The most impactful header for modern web apps is Content-Security-Policy. A properly configured CSP with script nonces removes the entire class of reflected and stored XSS vulnerabilities — regardless of whether your application has a bug. Combined with Strict-Transport-Security (which permanently upgrades all connections to HTTPS), these two headers alone eliminate a significant portion of the OWASP Top 10.
Server configuration snippets for Nginx, Apache, and Vercel/Next.js are shown inline for every failing header. For a deeper treatment of how CSP nonces work and how to deploy them without breaking your site, see our full guide on browser security fundamentals.
Security headers at a glance
| Header | Importance |
|---|---|
| Strict-Transport-Security | Critical |
| Content-Security-Policy | Critical |
| X-Frame-Options | High |
| X-Content-Type-Options | High |
| Referrer-Policy | Medium |
| Permissions-Policy | Medium |
Frequently asked questions
What is an HTTP security header?
An HTTP security header is a key-value pair sent by your server in an HTTP response, before the page body. Headers like Content-Security-Policy and Strict-Transport-Security instruct the browser to enforce security rules — blocking inline scripts, forcing HTTPS, preventing clickjacking — without any JavaScript on your page.
Why is my CSP grade failing even though I have a Content-Security-Policy header?
A CSP containing 'unsafe-inline' or 'unsafe-eval' allows browsers to run arbitrary inline scripts, which defeats most of its XSS protection. Our checker flags these as 'WEAK'. To pass, remove unsafe-inline and use script nonces or hashes instead.
How do I add security headers on my server?
On Nginx: add header directives inside your server {} or location {} block. On Apache: use Header set directives in .htaccess or httpd.conf. On Vercel/Next.js: add a headers() function in next.config.ts. On Cloudflare: use Transform Rules or a Worker to inject headers on every response.
Does this tool check all headers or only security headers?
We focus on the 8 headers with direct security impact: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cache-Control. The 'View all raw headers' panel shows every header returned by the server.
Is my URL stored or logged?
No. We send a HEAD request to your URL and return the headers to your browser. The URL is not persisted in any database. You can verify this by watching the Network panel in your browser DevTools.