HTTP Security Headers Scanner

Check your website security HTTP headers. Analyze HSTS, CSP, X-Frame-Options and other security mechanisms.

Free Tool HSTS CSP X-Frame-Options

Headers Check

Important Security Headers

Strict-Transport-Security (HSTS)

Forces HTTPS connection, protects against downgrade attacks

Content-Security-Policy (CSP)

Protection against XSS attacks, controls script and resource loading

X-Frame-Options

Protection against clickjacking attacks (iframe embedding)

X-Content-Type-Options

Prevents MIME-sniffing, protects against incorrect file interpretation

Referrer-Policy

Controls Referrer information transmission on navigation

Permissions-Policy

Controls access to browser APIs (geolocation, camera, microphone)

About Check

The scanner analyzes your website HTTP security headers and evaluates their configuration.

What is checked?

Strict-Transport-Security
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
X-XSS-Protection
Referrer-Policy
Permissions-Policy

Grading System

A+ — 90-100% A — 80-89% B — 60-79% C — 40-59% D — 20-39% F — 0-19%

Tip

Add security headers in your web server config (Nginx, Apache) or via CDN (Cloudflare).

Frequently Asked Questions

What are HTTP Security Headers?

HTTP Security Headers are response headers from web servers that instruct browsers to apply certain security measures. They protect against XSS, clickjacking, MIME-sniffing and other attacks.

How to add security headers?

Headers are added in web server config (Nginx: add_header, Apache: Header set), via CDN (Cloudflare Page Rules), or in application code (middleware).

Which header is most important?

Content-Security-Policy (CSP) is considered most important as it protects against XSS attacks. HSTS is also critical for protecting HTTPS connections.