HTTP Headers Checker
HTTP security headers are instructions sent by a web server to your browser, telling it how to behave when handling the site’s content. Properly configured headers protect against cross-site scripting (XSS), clickjacking, protocol downgrade attacks, and data injection. Many websites – including major ones – are missing critical headers that would significantly improve their security posture.
Enter any URL below to analyse its security headers. We check for HSTS, Content Security Policy, X-Frame-Options, and over a dozen other headers that matter for web security. Each header receives a grade from A+ to F, and you get an overall security score.
Understanding Security Header Categories
Critical Security Headers
Strict-Transport-Security (HSTS) tells browsers to only connect via HTTPS. Without it, attackers on the same network can intercept the initial HTTP request and redirect users to a malicious site. The preload directive gets your domain added to browser-hardcoded lists, providing protection even on the very first visit.
Content-Security-Policy (CSP) is arguably the single most powerful security header. It defines exactly which scripts, styles, images, and other resources the browser is allowed to load. A well-crafted CSP is the strongest defence against cross-site scripting attacks.
X-Content-Type-Options with the value “nosniff” prevents browsers from guessing the content type of a response. Without it, an attacker could trick the browser into treating a text file as executable JavaScript.
X-Frame-Options controls whether your page can be embedded in an iframe. Setting it to DENY or SAMEORIGIN prevents clickjacking – where an attacker overlays an invisible frame to trick users into clicking hidden buttons.
Cross-Origin Isolation Headers
The trio of COOP, CORP, and COEP work together to create a cross-origin isolated browsing context. This isolation protects against Spectre-class CPU vulnerabilities and is required to use powerful APIs like SharedArrayBuffer and high-resolution timers.
Information Disclosure Headers
Headers like Server and X-Powered-By reveal your technology stack to anyone who looks. While security through obscurity is not a strategy on its own, there is no reason to make an attacker’s job easier by advertising your exact server version and backend language.
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are directives sent by a web server in the response headers of every HTTP request. They instruct the browser how to handle the page’s content – for example, whether to allow framing, which scripts to trust, or whether to enforce HTTPS. They act as a second line of defence: even if your application code has a vulnerability, properly configured headers can prevent the browser from executing the attack.
Why are security headers important?
Security headers protect your visitors from common web attacks including cross-site scripting (XSS), clickjacking, MIME-type confusion, and protocol downgrade attacks. They are particularly important because they work at the browser level – even if an attacker finds a way to inject malicious content, headers like Content-Security-Policy can prevent the browser from executing it. Most headers require only a single line of server configuration, making them one of the highest-impact, lowest-effort security improvements you can make.
What is HSTS and why does it matter?
HSTS (HTTP Strict Transport Security) tells browsers to only communicate with your server over HTTPS. Without HSTS, the first request to your site might happen over plain HTTP before the server redirects to HTTPS – and that unencrypted request can be intercepted by attackers on public Wi-Fi or compromised networks. With the preload directive and a max-age of at least one year, browsers will refuse to connect over HTTP entirely, even on the very first visit. This makes HSTS essential for any site handling user data, login credentials, or financial transactions.
What is Content Security Policy (CSP)?
Content Security Policy is a security header that defines which sources of content the browser should trust. You specify allowed origins for scripts, stylesheets, images, fonts, and other resources. If an attacker manages to inject a malicious script tag via an XSS vulnerability, the browser will refuse to execute it because the script’s origin is not in the approved list. CSP can also block inline scripts, eval(), and other dangerous patterns. It is widely considered the most effective client-side protection against XSS, which remains the most common web vulnerability according to the OWASP Top 10.
How do I add security headers to my website?
The method depends on your server. For Apache, add Header directives in your .htaccess file (e.g., Header set X-Content-Type-Options "nosniff"). For Nginx, use add_header in your server block. For Node.js/Express, use the helmet middleware which sets all recommended headers with sensible defaults. If you use a CDN like Cloudflare, you can set headers in the dashboard or via Workers. WordPress users can use a security plugin or add headers in wp-config.php. Start with the critical four (HSTS, CSP, X-Content-Type-Options, X-Frame-Options) and expand from there. Always test in report-only mode first for CSP to avoid accidentally breaking your site.
How this tool works
This tool runs entirely in your browser and our server. We detect your IP address server-side, then perform DNS and WebRTC checks client-side. No account is needed and no personal data is stored beyond anonymous aggregate statistics.
Results are based on real-time checks against your current connection. For the most accurate results, ensure your VPN is fully connected before running the test.
DNS hijacking redirects your legitimate website requests to fake copies designed to steal your credentials. VPNs with encrypted DNS prevent this.