Security Headers Checker — Analyze HTTP Headers Free
Analyze HTTP security headers (CSP, HSTS, X-Frame-Options)
Frequently Asked Questions
What are security headers?
HTTP security headers are directives sent by your web server that tell browsers how to handle your content. They protect against XSS, clickjacking, MIME sniffing, and other attacks.
Which security headers should every website have?
At minimum: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
How do I add security headers to my website?
You can add them in your web server config (Nginx, Apache), CDN settings (Cloudflare, Vercel), or application framework (Next.js headers config, Express middleware).
What does an F grade mean?
An F grade means your site is missing most or all recommended security headers, leaving it vulnerable to common web attacks. The scan results show exactly which headers to add.
For authorized, legal, and ethical security testing only. Scans are rate-limited to 3 per day on the free tier.