Skip to main content

Security Headers Checker

Enter a URL to scan its response for the security headers that matter — Content-Security-Policy, HSTS, X-Frame-Options and the rest — and get a grade plus what to fix

Check Your Site's Security Headers

Security headers are instructions a server sends with every response telling the browser how to treat the page: which origins may run scripts on it, whether it may be framed by another site, whether it must be reached over HTTPS. They are cheap to add and they shut down entire classes of attack — but they only work if they are actually set, and most sites are missing several. Enter a URL above and this checker fetches the response, reports which of the ten headers below are present, grades the result out of 100, and shows the exact header value to add for anything missing. It also flags headers that are present but weakened, such as an HSTS max-age that is too short to be useful, or a Content-Security-Policy that still allows unsafe-inline.

Key Features

  • Scans any public URL and reports the security headers it actually returns
  • Grades the result A to F, weighted by how much each header matters
  • Checks Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the three Cross-Origin policies
  • Flags weak values, not just missing ones — a short HSTS max-age or a CSP allowing unsafe-inline
  • Warns when Server or X-Powered-By is leaking your stack to attackers
  • Gives a recommended value for every header you are missing, ready to paste into your config
  • Follows redirects and grades the page you actually land on

Common Use Cases

  • Auditing a site before launch to catch missing headers while it is still cheap to fix
  • Proving to a client or auditor that hardening was actually applied in production
  • Checking that a CDN or reverse proxy is not stripping headers your origin sets
  • Comparing staging against production to find configuration that never got promoted
  • Working through a penetration-test finding about missing security headers
  • Confirming a Content-Security-Policy survived a framework or hosting migration

Frequently Asked Questions

How do I check the security headers of a website?

Enter the site URL in the box above and run the scan. The checker requests the page, reads the response headers, and reports which security headers are present, which are missing, and which are present but weak. You get a grade out of 100 and a recommended value for anything you need to add.

Which security headers should a website have?

The core set is Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy. Together they mitigate cross-site scripting, clickjacking, MIME sniffing, protocol downgrade, and referrer leakage. The three Cross-Origin policies matter if you need cross-origin isolation.

What does Strict-Transport-Security do?

HSTS tells the browser to only ever contact this site over HTTPS, for the duration given in max-age. It closes the window where a user typing an http:// address, or clicking an old link, could be intercepted before the redirect to HTTPS happens. A max-age below one year is generally considered too short to be effective.

What is a Content-Security-Policy header?

Content-Security-Policy restricts where a page may load scripts, styles, images, and frames from. It is the single most effective defence against cross-site scripting, because a script injected from an origin you did not approve is refused by the browser regardless of how it got onto the page. A policy that still permits unsafe-inline gives up much of that benefit, which is why this checker flags it.

Why did my site get a low grade?

The grade is weighted by impact, so missing Content-Security-Policy (20 points) or Strict-Transport-Security (15) costs far more than missing a Cross-Origin policy (5). A site serving no security headers at all scores zero and grades F. The missing-headers list shows the exact value to add for each one, so the grade is a to-do list rather than a verdict.

100% private. All processing happens in your browser. Your data never leaves your device — no server uploads, no accounts required, no tracking.