Security Headers Checker
Scan security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). Use with SSL Checker and HTTPS Redirect Checker.
Share & copy
Run a check to get a share link (24h) and Copy JSON / Copy curl.
What we check
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Referrer-Policy, Permissions-Policy
- Grade A–F, fixes, and copy JSON/curl
Tip: Enter a URL (e.g. https://example.com) and click Check.
Security Headers Checker FAQ
What are security headers?
Security headers are HTTP response headers that tell browsers how to handle your site. Common ones include Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. They help reduce XSS, clickjacking, and other risks.
Why is HSTS important?
HSTS (Strict-Transport-Security) forces browsers to use HTTPS only for your domain. It prevents downgrade attacks and ensures users never hit HTTP. Use max-age of at least 15552000 (180 days) and consider adding includeSubDomains and preload.
What is Content-Security-Policy (CSP)?
CSP restricts where scripts, styles, and other resources can load from. It reduces XSS by blocking inline scripts and unauthorized sources. Avoid unsafe-inline and unsafe-eval when possible; use nonces or hashes instead.
How do I add security headers?
Headers are set by your web server or application. In Apache use Header set; in Nginx use add_header; in PHP use header(). Use the Security Headers Checker to see what you send and copy recommended snippets.
What grade should I aim for?
Aim for grade A: HSTS with long max-age, a sensible CSP, X-Frame-Options or frame-ancestors, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy. Use the tool’s Fixes tab to apply recommendations.