🛡️ Security Headers Checker

Check HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy and more — get a clear grade and fix recommendations. Free, unlimited.

Examples: github.com   cloudflare.com
ℹ️ This tool requires a one-time free setup: deploy the included Cloudflare Worker (see security-headers-worker.js in your site files) and set WORKER_URL in this page's script. Until then, live checks will show a setup message instead of results.
🕒 Recent Checks
No recent checks yet.

📚 What Are HTTP Security Headers?

HTTP security headers are response headers a server sends that instruct the browser to enforce defensive behavior — restricting which scripts are allowed to run, blocking your page from being embedded in another site's iframe, forcing HTTPS-only connections, and limiting what data leaks to other origins. They cost nothing to add and require no code changes beyond server or CDN configuration, making them one of the highest-leverage security wins available.

⚙️ How This Checker Works

Browsers deliberately block JavaScript running on one site from reading response headers returned by another site (CORS), unless that site explicitly opts in — almost none do. So this tool performs the GET request through a small server-side proxy, reads the real response headers there, and returns them to your browser as JSON. This is the same approach every security-header-checking tool on the internet uses under the hood.

📋 Headers Checked

HeaderWhat It Does
Strict-Transport-SecurityForces HTTPS-only connections (HSTS), blocking downgrade attacks
Content-Security-PolicyAllow-lists sources for scripts/styles/images — main XSS defense
X-Frame-OptionsBlocks clickjacking by controlling iframe embedding
X-Content-Type-OptionsStops MIME-sniffing attacks (should be nosniff)
Referrer-PolicyControls how much URL data leaks via the Referer header
Permissions-PolicyRestricts browser features like camera, mic, geolocation
Cross-Origin-Opener-PolicyIsolates your browsing context from cross-origin windows
Cross-Origin-Resource-PolicyControls which sites can embed your resources

🏆 How the Grade Is Calculated

Each present, correctly configured header adds points; missing or weak configurations subtract points. HSTS, CSP, and a framing defense carry the most weight since they block the highest-impact attack classes (downgrade, XSS, clickjacking). The scale runs A+ down to F, mirroring the scoring philosophy used by well-known header-scanning services.

🛡️ Use Cases

🔧
Pre-Launch Checklist
Run this before shipping a new site or after a hosting/CDN migration to confirm security headers survived the move.
📊
Compliance & Audits
Many security questionnaires and PCI-adjacent checklists ask about header configuration — get a quick, shareable snapshot.
🔄
Regression Detection
Re-check periodically — a config change, CDN reset, or new reverse proxy can silently drop headers that used to be there.
🎯
Competitive Benchmarking
Compare your header grade against competitors or industry leaders to see what a mature security posture looks like in practice.

🔗 More Ways to Investigate Domain Security

Check certificate history with SSL Certificate Checker, verify DNS setup with DNS Lookup, and confirm email authentication with SPF Lookup and DKIM Lookup. Read our guides: Security Headers Explained, How CSP Works, and the full Website Security Checklist.

FAQ

What are HTTP security headers? +
Response headers that tell the browser to enforce defensive behavior — restricting scripts, blocking iframe embedding, forcing HTTPS, and limiting data leaks to other origins.
What is HSTS? +
Strict Transport Security forces the browser to only connect over HTTPS for a set duration, preventing SSL-stripping downgrade attacks.
What is Content-Security-Policy (CSP)? +
An allow-list of sources scripts, styles, and other resources may load from — one of the most effective defenses against XSS.
What does X-Frame-Options do? +
Controls whether your page can be embedded in an iframe elsewhere, preventing clickjacking attacks.
What is X-Content-Type-Options? +
Set to nosniff, it stops the browser from guessing content types, preventing certain disguised-file execution attacks.
What is Permissions-Policy? +
Controls which browser features — camera, microphone, geolocation, and more — the page and any embedded iframes may use.
What is Referrer-Policy? +
Controls how much URL information is sent as the Referer header when a user follows a link, reducing accidental data leakage.
Why does this tool need a server-side check? +
Browsers block JavaScript from reading another site's response headers unless that site opts in via CORS, which almost none do — so a small server-side proxy performs the check instead.
What is a good security headers score? +
A strong baseline covers HSTS, a restrictive CSP, X-Content-Type-Options: nosniff, a framing defense, and a non-default Referrer-Policy.
Do security headers replace a Web Application Firewall? +
No. Headers are free, browser-enforced instructions; a WAF filters malicious requests at the network edge. They're complementary, not substitutes.
Why does my site show Server or X-Powered-By headers? +
Many frameworks add these by default, revealing your stack. Removing or genericizing them is a minor hardening step.
How do I add security headers to my site? +
Add them via add_header/Header directives on Nginx/Apache, a headers config on Cloudflare/Vercel/Netlify, or a middleware like helmet for Express.
Is Security Headers Checker free? +
Yes — free and unlimited, performing a live GET request through a lightweight proxy and reporting exactly what headers came back.