alexi.sh
Todos os artigosSegurança do navegadorPrivacidade de redeFerramentas de privacidadeModelagem de ameaçasProgramação com IAFerramentas de dev

Free Online Tool

Verificador de cabeçalhos de segurança HTTP

Cole qualquer URL pública e obtenha uma classificação de segurança instantânea. Analisamos 8 cabeçalhos de resposta críticos que protegem contra XSS, clickjacking, SSL stripping e MIME sniffing - com diretivas de servidor prontas a usar para cada cabeçalho em falta ou mal configurado.

Works with any public URL - we send a HEAD request server-side and analyze the response headers.

8 security headers

Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.

Instant grading

Score from 0–100% with a letter grade (A+…F) weighted by header importance.

Fix guidance included

Every failing header includes an explanation and a ready-to-paste server directive.

Porque importam os cabeçalhos de segurança HTTP

Os cabeçalhos de segurança HTTP são diretivas do lado do servidor enviadas em cada resposta que indicam ao navegador como se comportar com o seu conteúdo. Content-Security-Policy bloqueia a injeção de scripts inline; Strict-Transport-Security previne o SSL stripping; X-Frame-Options trava o clickjacking; X-Content-Type-Options previne ataques de confusão MIME. Os cabeçalhos mal configurados ou ausentes são um dos problemas mais comuns nas auditorias de segurança web.

The most impactful header for modern web apps is Content-Security-Policy. A properly configured CSP with script nonces removes the entire class of reflected and stored XSS vulnerabilities - regardless of whether your application has a bug. Combined with Strict-Transport-Security (which permanently upgrades all connections to HTTPS), these two headers alone eliminate a significant portion of the OWASP Top 10.

Server configuration snippets for Nginx, Apache, and Vercel/Next.js are shown inline for every failing header. For a deeper treatment of how CSP nonces work and how to deploy them without breaking your site, see our full guide on browser security fundamentals.

Security headers at a glance

HeaderImportance
Strict-Transport-SecurityCritical
Content-Security-PolicyCritical
X-Frame-OptionsHigh
X-Content-Type-OptionsHigh
Referrer-PolicyMedium
Permissions-PolicyMedium

Frequently asked questions

What is an HTTP security header?

An HTTP security header is a key-value pair sent by your server in an HTTP response, before the page body. Headers like Content-Security-Policy and Strict-Transport-Security instruct the browser to enforce security rules - blocking inline scripts, forcing HTTPS, preventing clickjacking - without any JavaScript on your page.

Why is my CSP grade failing even though I have a Content-Security-Policy header?

A CSP containing 'unsafe-inline' or 'unsafe-eval' allows browsers to run arbitrary inline scripts, which defeats most of its XSS protection. Our checker flags these as 'WEAK'. To pass, remove unsafe-inline and use script nonces or hashes instead.

How do I add security headers on my server?

On Nginx: add header directives inside your server {} or location {} block. On Apache: use Header set directives in .htaccess or httpd.conf. On Vercel/Next.js: add a headers() function in next.config.ts. On Cloudflare: use Transform Rules or a Worker to inject headers on every response.

Does this tool check all headers or only security headers?

We focus on the 8 headers with direct security impact: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cache-Control. The 'View all raw headers' panel shows every header returned by the server.

Is my URL stored or logged?

No. We send a HEAD request to your URL and return the headers to your browser. The URL is not persisted in any database. You can verify this by watching the Network panel in your browser DevTools.