🛡️ Security Headers Checker
Check HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy and more — get a clear grade and fix recommendations. Free, unlimited.
security-headers-worker.js in your site files) and set WORKER_URL in this page's script. Until then, live checks will show a setup message instead of results.
📚 What Are HTTP Security Headers?
HTTP security headers are response headers a server sends that instruct the browser to enforce defensive behavior — restricting which scripts are allowed to run, blocking your page from being embedded in another site's iframe, forcing HTTPS-only connections, and limiting what data leaks to other origins. They cost nothing to add and require no code changes beyond server or CDN configuration, making them one of the highest-leverage security wins available.
⚙️ How This Checker Works
Browsers deliberately block JavaScript running on one site from reading response headers returned by another site (CORS), unless that site explicitly opts in — almost none do. So this tool performs the GET request through a small server-side proxy, reads the real response headers there, and returns them to your browser as JSON. This is the same approach every security-header-checking tool on the internet uses under the hood.
📋 Headers Checked
| Header | What It Does |
|---|---|
Strict-Transport-Security | Forces HTTPS-only connections (HSTS), blocking downgrade attacks |
Content-Security-Policy | Allow-lists sources for scripts/styles/images — main XSS defense |
X-Frame-Options | Blocks clickjacking by controlling iframe embedding |
X-Content-Type-Options | Stops MIME-sniffing attacks (should be nosniff) |
Referrer-Policy | Controls how much URL data leaks via the Referer header |
Permissions-Policy | Restricts browser features like camera, mic, geolocation |
Cross-Origin-Opener-Policy | Isolates your browsing context from cross-origin windows |
Cross-Origin-Resource-Policy | Controls which sites can embed your resources |
🏆 How the Grade Is Calculated
Each present, correctly configured header adds points; missing or weak configurations subtract points. HSTS, CSP, and a framing defense carry the most weight since they block the highest-impact attack classes (downgrade, XSS, clickjacking). The scale runs A+ down to F, mirroring the scoring philosophy used by well-known header-scanning services.
🛡️ Use Cases
🔗 More Ways to Investigate Domain Security
Check certificate history with SSL Certificate Checker, verify DNS setup with DNS Lookup, and confirm email authentication with SPF Lookup and DKIM Lookup. Read our guides: Security Headers Explained, How CSP Works, and the full Website Security Checklist.