Security Headers Checker

Free Security Headers Checker - Test Website Security Headers Online

Our free Security Headers Checker analyzes your website's HTTP security headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Get instant graded scores, detailed analysis, and implementation code for Apache and Nginx. Essential for OWASP compliance, Google Lighthouse audits, and protecting against XSS, clickjacking, and data injection attacks.

What is a Security Headers Checker?

A Security Headers Checker is a diagnostic tool that analyzes HTTP response headers from your website to verify implementation of critical security headers that protect against common web vulnerabilities. Our security headers checker tests six essential headers including Content-Security-Policy (CSP) to prevent XSS and data injection attacks, Strict-Transport-Security (HSTS) to enforce HTTPS connections, X-Frame-Options to prevent clickjacking, X-Content-Type-Options to prevent MIME sniffing, Referrer-Policy to control referrer information leakage, and Permissions-Policy to control browser features. The tool provides graded scores (A+ to F), detailed analysis of each header with pass/fail status, header values when present, implementation code for Apache and Nginx servers, and specific recommendations for missing headers. Security headers are critical for web developers implementing security best practices, security engineers conducting vulnerability assessments, DevOps teams configuring web servers, compliance officers ensuring OWASP and PCI-DSS requirements, SEO professionals optimizing for Google Lighthouse security audits, and website owners protecting visitors from attacks. Modern web security requires proper HTTP headers because browsers rely on these headers to enable security features, they provide defense-in-depth protection layers, they're required for compliance with security standards, Google considers security as a ranking factor, and they protect against OWASP Top 10 vulnerabilities.

Security Headers We Check

Our comprehensive checker analyzes all six critical security headers recommended by OWASP and security experts.

• Content-Security-Policy (CSP): Most important security header preventing cross-site scripting (XSS) attacks, controls which resources can be loaded (scripts, styles, images), prevents data injection attacks and unauthorized code execution, recommended value starts with default-src 'self' to only allow same-origin resources, worth 20 points in our scoring system
• Strict-Transport-Security (HSTS): Forces browsers to always use HTTPS connections for your domain, prevents SSL stripping attacks and man-in-the-middle attacks, protects against protocol downgrade attacks, recommended value: max-age=31536000; includeSubDomains for 1 year enforcement, worth 20 points - critical for any site handling sensitive data
• X-Frame-Options: Prevents clickjacking attacks where your site is embedded in malicious iframes, protects users from being tricked into clicking hidden elements, three valid values: DENY (never allow framing), SAMEORIGIN (only allow same domain), ALLOW-FROM uri (allow specific domain), recommended value: SAMEORIGIN for most sites, worth 15 points
• X-Content-Type-Options: Prevents MIME type sniffing where browsers try to guess content types, stops browsers from interpreting files as different types than declared, single valid value: nosniff, prevents attacks where text files are executed as scripts, worth 15 points - simple but important protection
• Referrer-Policy: Controls how much referrer information is sent with requests to other sites, prevents information leakage about your URLs and user navigation paths, recommended value: strict-origin-when-cross-origin (sends origin only for cross-site requests), protects user privacy while maintaining analytics functionality, worth 15 points
• Permissions-Policy: Controls which browser features and APIs can be used on your site, formerly known as Feature-Policy, restricts access to camera, microphone, geolocation, payment APIs, example value: geolocation=(), microphone=(), camera=() to block all access, prevents malicious scripts from accessing sensitive features, worth 15 points

How to Use the Security Headers Checker

Testing your website's security headers is instant and provides actionable insights for improvement.

• Enter your website URL in the input field - include https:// or just the domain (we'll add it), works with any public website you want to check, can check your own sites or analyze competitors
• Click 'Check Security Headers' button - tool fetches HTTP headers from the URL, analyzes presence and values of all six security headers, calculates security score and grade based on findings
• Review your security grade (A+ to F) - A+ or A means excellent security with all headers present, B or C indicates good security but missing some headers, D or F means poor security requiring immediate attention
• Check statistics dashboard - see how many headers are present vs missing, view your protection level percentage, understand overall security posture at a glance
• Analyze individual header results - each header shows pass/fail status with green checkmark or red X, displays actual header value if present, explains what the header protects against, shows points earned (0-20 per header)
• Read implementation recommendations - for missing headers, we provide ready-to-use configuration code, separate code blocks for Apache (.htaccess) and Nginx (nginx.conf), copy and paste directly into your server configuration
• Download or copy full report - generate text report with all findings, includes URL, grade, score, and all header statuses, save for compliance documentation or team sharing

Understanding the Scoring System

Our grading system provides clear assessment of your website's security posture based on industry standards.

• Total Possible Score: 100 points divided across 6 headers, Content-Security-Policy and HSTS worth 20 points each (most critical), other four headers worth 15 points each
• Grade A+ (90-100 points): Excellent security with all or nearly all headers properly implemented, indicates security-conscious development, meets or exceeds industry standards, ready for security audits
• Grade A (80-89 points): Very good security with most critical headers present, minor improvements possible, still provides strong protection, acceptable for most production sites
• Grade B (70-79 points): Good security but missing 1-2 important headers, adequate protection but room for improvement, should address missing headers soon, acceptable for non-sensitive sites
• Grade C (60-69 points): Fair security with several headers missing, leaves site vulnerable to some attacks, requires attention to improve security, not recommended for production
• Grade D (50-59 points): Poor security with most headers missing, significant security gaps present, immediate action required, unacceptable for any public website
• Grade F (0-49 points): Failing security with few or no headers implemented, extremely vulnerable to attacks, critical security risk, must implement headers before going live

How to Implement Security Headers

Adding security headers is straightforward and can be done at web server level or application level.

• Apache Implementation (.htaccess or httpd.conf): Add headers using mod_headers module which is usually enabled by default, place code in .htaccess file in website root for immediate effect, or add to Apache config file for server-wide implementation, restart Apache after config file changes (not needed for .htaccess), example: Header set X-Frame-Options SAMEORIGIN
• Nginx Implementation (nginx.conf or site config): Use add_header directive in server block, edit your site's configuration file in /etc/nginx/sites-available/, add headers inside server { } block, reload Nginx after changes with: sudo nginx -s reload, example: add_header X-Frame-Options SAMEORIGIN;
• CloudFlare Implementation: Log into CloudFlare dashboard and go to Transform Rules, create new HTTP Response Header Modification rule, set header name and value for each security header, applies to all requests through CloudFlare, easiest option if using CloudFlare CDN
• Application-Level Implementation: Add headers in application code if you don't have server access, PHP: header('X-Frame-Options: SAMEORIGIN'); before any output, Node.js Express: response.setHeader('X-Frame-Options', 'SAMEORIGIN'), Python Flask: response.headers['X-Frame-Options'] = 'SAMEORIGIN', works but server-level is more efficient
• Content Management Systems: WordPress: Use security plugins like Really Simple SSL or Wordfence, or add code to .htaccess file in WordPress root, Drupal: Use Secure Site module or configure in .htaccess, Joomla: Edit .htaccess or use security extensions like AdminTools
• Testing After Implementation: Wait 5-10 minutes for configuration changes to take effect, clear browser cache to ensure you're not seeing cached headers, run our checker again to verify all headers are present, test from multiple locations to confirm global deployment

Pro Tip

Start with X-Content-Type-Options and X-Frame-Options headers as these are simplest to implement with single-value configuration and provide immediate protection with zero compatibility issues across all browsers. Then add Strict-Transport-Security if your site already uses HTTPS everywhere - this is critical for any site handling logins or sensitive data. Content-Security-Policy is most complex and powerful but requires careful configuration to avoid breaking your site's functionality - start with a permissive policy like default-src 'self' 'unsafe-inline' 'unsafe-eval' and gradually tighten it while testing thoroughly. Use browser developer console to check for CSP violations when implementing (Console tab shows CSP errors with specifics on what was blocked). For Referrer-Policy, strict-origin-when-cross-origin is the best balance between privacy and functionality, maintaining analytics while protecting sensitive URL parameters. Permissions-Policy should block features your site doesn't use - if you don't use camera, microphone, or geolocation, explicitly block them all with geolocation=(), microphone=(), camera=(). Test headers in staging environment first before deploying to production to catch any breaking changes. Some headers like HSTS have long-term consequences (max-age of 1 year means you're committing to HTTPS for that period), so test thoroughly before setting long max-age values. Use report-uri or report-to directives with CSP during initial deployment to see what would be blocked without actually blocking, allowing you to refine policy before enforcement. Remember that security headers are defense-in-depth measures - they complement but don't replace other security practices like input validation, output encoding, and secure authentication. Run our checker regularly (monthly recommended) to ensure headers remain properly configured after site updates or server changes. Document your security header configuration and rationale for your team so future updates don't accidentally remove critical protections. For compliance requirements, save security header reports as evidence of proper security implementation for audits.

FAQ

Related tools

Pro tip: pair this tool with Security Header Strength Checker and Exposed Admin Path Detector for a faster SEO workflow.

• Security Header Strength Checker — Grade security headers with detailed scoring, letter grades (A+ to F), and actionable recommendations.
• Exposed Admin Path Detector — Detect common admin URLs that may expose login panels or sensitive areas.
• Robots.txt Security Analyzer — Analyze robots.txt to detect exposed admin, login, and sensitive paths.
• Google Malware Checker — Check if site has malware.
• Mixed Content Checker — Detect insecure HTTP resources loaded on HTTPS pages that break browser security.