Skip to main content
Free Tools

Security headers checker: is your site hardened?

Check your HTTPS setup and HTTP security headers (HSTS, CSP, X-Frame-Options) and get a graded report with fixes.

No signup requiredWe read response headers. No data is stored.Results in seconds

We read your site's response headers. No data is stored.

How the security score works

A security headers checker inspects the HTTP response headers your server sends and grades how well your site is hardened against common web attacks. The most important headers are HSTS (forces HTTPS), Content-Security-Policy (blocks injection), X-Frame-Options (prevents clickjacking), and X-Content-Type-Options (stops MIME sniffing).

What each header protects against

HeaderProtects againstWeight
Strict-Transport-SecurityProtocol downgrade, MITMHigh
Content-Security-PolicyXSS, injection, data exfiltrationHigh
X-Frame-OptionsClickjackingMedium
X-Content-Type-OptionsMIME-type sniffingMedium
Referrer-PolicyReferrer data leakageLow
Permissions-PolicyUnwanted feature accessLow

How to add security headers (step by step)

Security headers are set at your web server or CDN, not in your page HTML. The exact syntax varies by platform, but the order of operations is the same everywhere:

  1. Scan your current headers with the tool above to see what's present, missing, or weak.
  2. Enforce HTTPS, then add HSTS. Once every page works over HTTPS, add Strict-Transport-Security: max-age=31536000; includeSubDomains.
  3. Add a Content-Security-Policy in report-only mode. Watch the violation reports, fix anything legitimate it would block, then switch to enforcing.
  4. Add the supporting headers: X-Frame-Options, X-Content-Type-Options: nosniff, Referrer-Policy, and a Permissions-Policy.
  5. Re-scan to confirm the headers are live and your grade improved.

On Nginx use add_header, on Apache use Header set, and on Cloudflare, Netlify, or Vercel define them in a headers config file or transform rule. See the OWASP Secure Headers Project and MDN's HTTP headers reference for exact directives.

Why security headers matter for trust and SEO

Most damaging website breaches don't involve sophisticated zero-days - they exploit basic misconfigurations. A missing Content-Security-Policy lets an injected script run and steal data. Cookies without protective flags get hijacked. A site that can be framed is vulnerable to clickjacking. Security headers shut down these entire attack classes for the cost of a few configuration lines, which is the best security return on investment most sites can make.

There's an SEO and trust dimension too. HTTPS is a confirmed Google ranking signal, and a site that gets hacked or blacklisted can be dropped from search results until it's cleaned up. Visitors increasingly notice browser security warnings, and a "Not Secure" label at the moment of decision quietly kills conversions. Hardening your headers protects rankings, reputation, and revenue at once.

Security headers checklist

Security headers checklist
HeaderRecommended valuePriority
Strict-Transport-Securitymax-age=31536000; includeSubDomainsCritical
Content-Security-PolicyStart report-only, then enforceCritical
X-Frame-OptionsSAMEORIGINHigh
X-Content-Type-OptionsnosniffHigh
Referrer-Policystrict-origin-when-cross-originMedium
Permissions-PolicyRestrict camera, mic, geolocationMedium

How to read your security grade

90-100 (A): Strong posture. Keep an eye out for regressions after deployments.

80-89 (B): Good - usually a missing CSP or HSTS away from an A.

65-79 (C): Several headers missing; work the prioritized fixes in the report.

Below 65 (D/F): Under-hardened. Start with HTTPS, HSTS, and a Content-Security-Policy.

For developers and agencies

If you build or maintain sites for clients, this checker is a fast pre-launch and audit step - run it before every go-live and after infrastructure changes. It's free with no usage limits, so you can fold it into QA checklists and client reports. A clean header configuration is also an easy, demonstrable win to show clients early in an engagement. Need headers baked into your stack, a hardened CSP that doesn't break third-party scripts, or a full security and code-health review? Talk to our engineers.

Frequently asked questions

What are HTTP security headers?
Response headers your server sends that tell the browser how to behave securely - enforcing HTTPS and blocking common attacks like clickjacking and script injection.
Which security headers are most important?
HSTS and Content-Security-Policy have the biggest impact, followed by X-Frame-Options and X-Content-Type-Options.
What does HSTS do?
It tells browsers to only ever connect over HTTPS, preventing downgrade and man-in-the-middle attacks. Add it once HTTPS works everywhere.
Will adding these headers break my site?
CSP can block resources if misconfigured, so test in report-only mode first. The others are generally safe to add directly.
Does HTTPS alone make my site secure?
No. HTTPS encrypts traffic; security headers add browser-level protections (clickjacking, XSS, MIME sniffing) on top of it.
Is this checker free?
Yes - free, no signup, no limits. The scan is passive and read-only and stores nothing.
What is a good score?
90-100 (A) is strong; 80-89 (B) is good; 65-79 (C) has gaps; below 65 means core protections are missing.
How do I add security headers?
Set them at your server or CDN - Nginx add_header, Apache Header set, or a headers config on Cloudflare/Netlify/Vercel. Add HSTS and CSP first.
How often should I check?
After any deployment, migration, or CDN change, and at least quarterly - headers can silently disappear during a redesign.

Security headers are cheap insurance

Most security headers are a one-line addition to your server or CDN config, yet they block entire classes of attacks - clickjacking, protocol downgrades, MIME confusion, and many cross-site scripting vectors. They cost nothing to add and meaningfully raise the bar for attackers.

Start with HSTS and CSP

If you only do two things, enable HSTS to lock visitors onto HTTPS, and add a Content-Security-Policy to control what scripts and resources can load. Roll CSP out in report-only mode first so you can see what it would block before enforcing it.

Launch Faster

Ready to ship your next product?

Tell us what you're building. Senior engineers will scope, plan, and start delivering your product with production-ready architecture - fast.

Talk to real engineers
Clear scope in one call
No obligation