Audit your website's HTTP security headers instantly. Detect missing protections against cross-site scripting, clickjacking, and other common web attacks.
HTTP security headers are response headers that your web server sends to browsers along with your page content. They instruct browsers on how to behave when handling your site's data: which scripts to execute, whether to allow framing, how to handle HTTPS, and what to do with content types. Think of them as a security policy document that every visitor's browser automatically enforces on your behalf.
The most impactful security header is Content-Security-Policy (CSP). A properly configured CSP defines an allowlist of trusted content sources for every type of resource including scripts, stylesheets, images, fonts, frames, and more. When a browser encounters content from an unlisted source, it blocks it. This single header can neutralise most cross-site scripting (XSS) attacks, which remain in the OWASP Top 10 vulnerabilities year after year.
Strict-Transport-Security (HSTS) is essential for any site using HTTPS. It prevents protocol downgrade attacks and cookie hijacking by forcing browsers to always use encrypted connections. The max-age directive specifies how long browsers should remember to use HTTPS (31536000 seconds, or one year, is recommended). Adding includeSubDomains extends protection to all subdomains, and submitting your domain to the HSTS preload list builds the requirement directly into browser code. Make sure your SSL certificate is valid before enabling HSTS.
X-Frame-Options and its modern replacement frame-ancestors in CSP prevent clickjacking attacks, where your site is loaded in a hidden iframe to trick users into clicking malicious elements. X-Content-Type-Options: nosniff prevents browsers from guessing MIME types, stopping attacks where a malicious file disguised as an image is interpreted as executable script. Referrer-Policy controls how much URL information is leaked when users navigate away from your site.
The newer Permissions-Policy header (formerly Feature-Policy) lets you control which browser features your site can access, such as camera, microphone, geolocation, payment APIs, and more. Even if an XSS attack succeeds, a restrictive Permissions-Policy prevents the attacker from accessing sensitive device capabilities. For a holistic view of your domain's security, including email authentication and DNS protections, run a full domain security scan.
Type your website's domain above. We send an HTTP request and capture all response headers from your server.
We look for all security-relevant headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.
Each header's value is parsed and evaluated. We check for weak directives (like CSP with unsafe-inline), missing recommended values, and common misconfigurations.
You receive a grade plus header-by-header results. Missing headers get specific implementation guidance, and weak headers get improvement suggestions.
HTTP security headers are directives sent by your web server that tell browsers how to handle your site's content. They act as a second line of defence: even if your application code has vulnerabilities, properly configured security headers can prevent or mitigate attacks like cross-site scripting (XSS), clickjacking, MIME type sniffing, and data injection. They cost nothing to implement and significantly reduce your attack surface.
Content-Security-Policy is arguably the most powerful security header. It defines exactly which sources are allowed to load scripts, styles, images, fonts, and other resources on your pages. A well-crafted CSP effectively neutralises XSS attacks by preventing the browser from executing unauthorised scripts, even if an attacker manages to inject code. While CSP can be complex to implement, especially on sites with lots of third-party integrations, starting with a report-only policy lets you monitor without breaking functionality.
Run a full domain scan to check your email authentication (SPF, DKIM, DMARC), SSL certificate, and DNSSEC alongside security headers.
HSTS tells browsers to always connect to your site over HTTPS, even if the user types "http://" or clicks an HTTP link. Once a browser sees the HSTS header, it internally redirects all future HTTP requests to HTTPS for the specified max-age period. This prevents SSL-stripping attacks where an attacker downgrades a secure connection to plain HTTP. For maximum protection, include the "includeSubDomains" directive and consider HSTS preloading, which hardcodes the HTTPS requirement into browsers themselves.
At minimum, every website should implement: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy (CSP) to prevent XSS, X-Content-Type-Options: nosniff to block MIME-type sniffing, X-Frame-Options or CSP frame-ancestors to prevent clickjacking, Referrer-Policy to control information leakage, and Permissions-Policy to restrict browser features like camera and microphone access. Our checker evaluates all of these and highlights which ones you're missing.
Our grading evaluates the presence and configuration of each security header against OWASP recommendations. An A+ means all recommended headers are present with strict, well-configured policies. Missing headers lower the grade, and misconfigured headers (like CSP with unsafe-inline) result in deductions. Each header is weighted by its security impact; for example, a missing CSP has more impact than a missing Referrer-Policy.