All tools
Security tools

Security Headers Checker

Scan any URL for missing HTTP security headers and get an instant A–F grade. See exactly which headers are set, which are missing and what each one protects against.

HSTS CSP X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-Policy
Get started free Sign in

Free · No credit card · 50 credits/day

The 7 headers we check

Five required (affect grade), two optional but recommended.

Strict-Transport-Security Required Protects: Protocol downgrade / SSL stripping

Tells browsers to only connect via HTTPS for a specified period. Prevents man-in-the-middle attacks that downgrade HTTPS to HTTP.

Example: max-age=31536000; includeSubDomains; preload
Content-Security-Policy Required Protects: XSS, data injection

Defines which sources of scripts, styles, images and other resources the browser is allowed to load. A strict CSP is the most effective XSS mitigation available.

Example: default-src 'self'; script-src 'self' 'nonce-{random}'
X-Frame-Options Required Protects: Clickjacking

Prevents your page from being embedded in an iframe on another domain. Stops clickjacking attacks where a hidden frame overlays a legitimate page.

Example: DENY or SAMEORIGIN
X-Content-Type-Options Required Protects: MIME sniffing

Prevents browsers from guessing the content type of a response. Without it, a browser might execute a text file as JavaScript.

Example: nosniff
Referrer-Policy Required Protects: Information leakage

Controls how much referrer information is sent with requests. Prevents leaking sensitive URL parameters (tokens, user IDs) to third-party sites.

Example: strict-origin-when-cross-origin
Permissions-Policy Optional Protects: Feature abuse

Controls access to browser APIs — camera, microphone, geolocation, payment — per origin. Limits what third-party scripts can do even if injected.

Example: camera=(), microphone=(), geolocation=()
X-XSS-Protection Optional Protects: Reflected XSS (legacy)

Activates the built-in XSS filter in older browsers. Deprecated in modern browsers — CSP supersedes it — but still useful for IE/legacy browser compatibility.

Example: 1; mode=block

How the grade is calculated

Based on the five required headers only — optional headers don't affect the grade.

A

5 of 5 required headers present

B

4 of 5 (80%+)

C

3 of 5 (60%+)

D

2 of 5 (40%+)

F

Fewer than 2 required headers

Frequently asked questions

What are HTTP security headers?

HTTP security headers are response headers that instruct the browser how to behave when handling your site's content. They defend against XSS, clickjacking, MIME-sniffing and protocol downgrade attacks — without changing your application code, just your server configuration.

What grade should my site get?

Aim for an A — all five required headers present: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options and Referrer-Policy. Most production sites score C or D because CSP is the hardest to configure correctly.

Which security header is the hardest to implement?

Content-Security-Policy (CSP) is the most powerful but also the most complex. A strict CSP blocks inline scripts and limits resource domains, requiring you to audit every script, style and image on your site. Start with report-only mode to collect violations before enforcing.

Does adding security headers affect performance?

No. Security headers are tiny strings in HTTP responses with no measurable performance impact. They are one of the cheapest security improvements you can make.

Related security tools

More tools to audit your site's security posture.

SSL Certificate Checker

Check certificate expiry, issuer and SANs for any domain.

DNS Lookup

Query A, AAAA, MX, TXT, CNAME, NS and SOA records for any domain.

CORS Tester

Check whether a URL returns correct CORS headers for cross-origin requests.

Scan your site now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →