Security headers checker: is your site hardened?
Check your HTTPS setup and HTTP security headers (HSTS, CSP, X-Frame-Options) and get a graded report with fixes.
We read your site's response headers. No data is stored.
How the security score works
A security headers checker inspects the HTTP response headers your server sends and grades how well your site is hardened against common web attacks. The most important headers are HSTS (forces HTTPS), Content-Security-Policy (blocks injection), X-Frame-Options (prevents clickjacking), and X-Content-Type-Options (stops MIME sniffing).
What each header protects against
| Header | Protects against | Weight |
|---|---|---|
| Strict-Transport-Security | Protocol downgrade, MITM | High |
| Content-Security-Policy | XSS, injection, data exfiltration | High |
| X-Frame-Options | Clickjacking | Medium |
| X-Content-Type-Options | MIME-type sniffing | Medium |
| Referrer-Policy | Referrer data leakage | Low |
| Permissions-Policy | Unwanted feature access | Low |
How to add security headers (step by step)
Security headers are set at your web server or CDN, not in your page HTML. The exact syntax varies by platform, but the order of operations is the same everywhere:
- Scan your current headers with the tool above to see what's present, missing, or weak.
- Enforce HTTPS, then add HSTS. Once every page works over HTTPS, add
Strict-Transport-Security: max-age=31536000; includeSubDomains. - Add a Content-Security-Policy in report-only mode. Watch the violation reports, fix anything legitimate it would block, then switch to enforcing.
- Add the supporting headers:
X-Frame-Options,X-Content-Type-Options: nosniff,Referrer-Policy, and aPermissions-Policy. - Re-scan to confirm the headers are live and your grade improved.
On Nginx use add_header, on Apache use Header set, and on Cloudflare, Netlify, or Vercel define them in a headers config file or transform rule. See the OWASP Secure Headers Project and MDN's HTTP headers reference for exact directives.
Why security headers matter for trust and SEO
Most damaging website breaches don't involve sophisticated zero-days - they exploit basic misconfigurations. A missing Content-Security-Policy lets an injected script run and steal data. Cookies without protective flags get hijacked. A site that can be framed is vulnerable to clickjacking. Security headers shut down these entire attack classes for the cost of a few configuration lines, which is the best security return on investment most sites can make.
There's an SEO and trust dimension too. HTTPS is a confirmed Google ranking signal, and a site that gets hacked or blacklisted can be dropped from search results until it's cleaned up. Visitors increasingly notice browser security warnings, and a "Not Secure" label at the moment of decision quietly kills conversions. Hardening your headers protects rankings, reputation, and revenue at once.
Security headers checklist
| Header | Recommended value | Priority |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains | Critical |
| Content-Security-Policy | Start report-only, then enforce | Critical |
| X-Frame-Options | SAMEORIGIN | High |
| X-Content-Type-Options | nosniff | High |
| Referrer-Policy | strict-origin-when-cross-origin | Medium |
| Permissions-Policy | Restrict camera, mic, geolocation | Medium |
How to read your security grade
90-100 (A): Strong posture. Keep an eye out for regressions after deployments.
80-89 (B): Good - usually a missing CSP or HSTS away from an A.
65-79 (C): Several headers missing; work the prioritized fixes in the report.
Below 65 (D/F): Under-hardened. Start with HTTPS, HSTS, and a Content-Security-Policy.
For developers and agencies
If you build or maintain sites for clients, this checker is a fast pre-launch and audit step - run it before every go-live and after infrastructure changes. It's free with no usage limits, so you can fold it into QA checklists and client reports. A clean header configuration is also an easy, demonstrable win to show clients early in an engagement. Need headers baked into your stack, a hardened CSP that doesn't break third-party scripts, or a full security and code-health review? Talk to our engineers.
Frequently asked questions
- What are HTTP security headers?
- Response headers your server sends that tell the browser how to behave securely - enforcing HTTPS and blocking common attacks like clickjacking and script injection.
- Which security headers are most important?
- HSTS and Content-Security-Policy have the biggest impact, followed by X-Frame-Options and X-Content-Type-Options.
- What does HSTS do?
- It tells browsers to only ever connect over HTTPS, preventing downgrade and man-in-the-middle attacks. Add it once HTTPS works everywhere.
- Will adding these headers break my site?
- CSP can block resources if misconfigured, so test in report-only mode first. The others are generally safe to add directly.
- Does HTTPS alone make my site secure?
- No. HTTPS encrypts traffic; security headers add browser-level protections (clickjacking, XSS, MIME sniffing) on top of it.
- Is this checker free?
- Yes - free, no signup, no limits. The scan is passive and read-only and stores nothing.
- What is a good score?
- 90-100 (A) is strong; 80-89 (B) is good; 65-79 (C) has gaps; below 65 means core protections are missing.
- How do I add security headers?
- Set them at your server or CDN - Nginx add_header, Apache Header set, or a headers config on Cloudflare/Netlify/Vercel. Add HSTS and CSP first.
- How often should I check?
- After any deployment, migration, or CDN change, and at least quarterly - headers can silently disappear during a redesign.
Security headers are cheap insurance
Most security headers are a one-line addition to your server or CDN config, yet they block entire classes of attacks - clickjacking, protocol downgrades, MIME confusion, and many cross-site scripting vectors. They cost nothing to add and meaningfully raise the bar for attackers.
Start with HSTS and CSP
If you only do two things, enable HSTS to lock visitors onto HTTPS, and add a Content-Security-Policy to control what scripts and resources can load. Roll CSP out in report-only mode first so you can see what it would block before enforcing it.
Related free tools
Keep going with these tools
Website Security Scanner
Is your website safe?
Tracker & Cookie Scanner
What trackers does your site run?
Website Tech Stack Checker
What is this site built with?
Website Down Checker
Is it down for everyone, or just you?
Free Website Grader
Score your whole site in seconds
Responsive Design Checker
Preview any site at every screen size
Want a team to handle it for you? We design and build fast, SEO-ready websites that convert. Explore AI web development.
Related guides
Go deeper with our guides
Practical, up-to-date guides on the strategy, costs, and execution behind this tool.
Website Maintenance Checklist 2026: Keep Your Site Secure and Fast
Monthly, quarterly, and annual tasks to keep your small business site secure, fast, and converting.
Technical SEO Checklist for Small Business Websites in 2026
Fix the technical SEO issues holding your site back: crawlability, indexation, site speed, and schema markup.
Ready to ship your next product?
Tell us what you're building. Senior engineers will scope, plan, and start delivering your product with production-ready architecture - fast.
