Security Headers Checker
Analyze your website's HTTP security headers. Check for Content-Security-Policy, X-Frame-Options, HSTS, and more. Free online tool.
What we check
How it works
HTTP security headers tell browsers how to handle your website content. Missing headers can leave your site vulnerable to XSS attacks, clickjacking, MIME sniffing, and other browser-based exploits. Our scanner checks all critical security headers and provides specific fix recommendations for your server.
Results are available in seconds. No installation or server access required — we scan your website from the outside, just like an attacker would.
Frequently Asked Questions
Security headers are HTTP response headers that instruct browsers on how to handle your site's content. They prevent common attacks like cross-site scripting (XSS), clickjacking, and MIME type sniffing.
Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options are the most critical. Together they prevent the majority of browser-based attacks.
Add them in your web server configuration. For Nginx: add_header X-Content-Type-Options "nosniff" always; For Apache: Header always set X-Content-Type-Options "nosniff". Our scan report includes server-specific instructions for each missing header.
Need a deeper analysis?
Our Pro and Deep scans include OWASP Top 10 analysis, malware detection, exposed files, and up to 27 security scanners with a professional PDF report.