// free security tool
HTTP Security Header Checker
Enter a URL and grade its HTTP security headers in seconds. The checker reports which protective headers are present, missing, or misconfigured — Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy, and more — and gives you copy-paste configuration to fix the gaps.
Check your headers free → Unlock Pro (100/mo)
Headers the checker grades
- Content-Security-Policy — mitigates XSS and data injection; the highest-value, hardest-to-tune header.
- Strict-Transport-Security (HSTS) — forces HTTPS and blocks protocol downgrade.
- X-Frame-Options / frame-ancestors — prevents clickjacking.
- X-Content-Type-Options, Referrer-Policy, Permissions-Policy — reduce sniffing, leakage, and feature abuse.
How to read the grade
Each header is marked present, missing, or weak, with the recommended value. Start with HSTS and CSP, then tighten the rest. A restrictive CSP often needs iteration — begin in report-only mode.
Copy-paste starting point
A safe baseline to adapt: Strict-Transport-Security: max-age=31536000; includeSubDomains and a Content-Security-Policy that starts from default-src 'self' and is loosened only as needed.
Frequently asked questions
Which headers does it check?
Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and related cookie and CORS signals.
What is the most important header?
For most sites, HSTS and a restrictive Content-Security-Policy deliver the biggest gains — HSTS enforces HTTPS, and CSP mitigates cross-site scripting and clickjacking vectors.
Does the scan affect my site?
No. It performs a passive read of your response headers — it does not attack or modify your site.
Free vs Pro?
Free covers 1 check per month. Pro raises it to 100 per month with history and exports.