Free Online Tool
HTTP Security Headers Checker
Paste any public URL and get an instant security grade. We analyze 8 critical response headers that protect against XSS, clickjacking, SSL stripping, and MIME sniffing — plus ready-to-paste server directives for every missing or misconfigured header.
Works with any public URL — we send a HEAD request server-side and analyze the response headers.
8 security headers
Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.
Instant grading
Score from 0–100% with a letter grade (A+…F) weighted by header importance.
Fix guidance included
Every failing header includes an explanation and a ready-to-paste server directive.
Why HTTP security headers matter
HTTP security headers are server-side directives sent in every response that instruct the browser how to behave when handling your content. They're your first line of defense against a wide class of attacks: Content-Security-Policy blocks inline script injection; Strict-Transport-Security prevents SSL stripping; X-Frame-Options stops clickjacking; X-Content-Type-Options prevents MIME confusion attacks. Misconfigured or absent headers are one of the most common issues found in web security audits — and also one of the easiest to fix.
The most impactful header for modern web apps is Content-Security-Policy. A properly configured CSP with script nonces removes the entire class of reflected and stored XSS vulnerabilities — regardless of whether your application has a bug. Combined with Strict-Transport-Security (which permanently upgrades all connections to HTTPS), these two headers alone eliminate a significant portion of the OWASP Top 10.
Server configuration snippets for Nginx, Apache, and Vercel/Next.js are shown inline for every failing header. For a deeper treatment of how CSP nonces work and how to deploy them without breaking your site, see our full guide on browser security fundamentals.
Security headers at a glance
| Header | Importance |
|---|---|
| Strict-Transport-Security | Critical |
| Content-Security-Policy | Critical |
| X-Frame-Options | High |
| X-Content-Type-Options | High |
| Referrer-Policy | Medium |
| Permissions-Policy | Medium |
Frequently asked questions
What is an HTTP security header?
An HTTP security header is a key-value pair sent by your server in an HTTP response, before the page body. Headers like Content-Security-Policy and Strict-Transport-Security instruct the browser to enforce security rules — blocking inline scripts, forcing HTTPS, preventing clickjacking — without any JavaScript on your page.
Why is my CSP grade failing even though I have a Content-Security-Policy header?
A CSP containing 'unsafe-inline' or 'unsafe-eval' allows browsers to run arbitrary inline scripts, which defeats most of its XSS protection. Our checker flags these as 'WEAK'. To pass, remove unsafe-inline and use script nonces or hashes instead.
How do I add security headers on my server?
On Nginx: add header directives inside your server {} or location {} block. On Apache: use Header set directives in .htaccess or httpd.conf. On Vercel/Next.js: add a headers() function in next.config.ts. On Cloudflare: use Transform Rules or a Worker to inject headers on every response.
Does this tool check all headers or only security headers?
We focus on the 8 headers with direct security impact: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cache-Control. The 'View all raw headers' panel shows every header returned by the server.
Is my URL stored or logged?
No. We send a HEAD request to your URL and return the headers to your browser. The URL is not persisted in any database. You can verify this by watching the Network panel in your browser DevTools.