Security Headers Checker

HTTP security headers are response headers that instruct browsers on how to behave when handling your website's content. They are a critical layer of defense against common web attacks such as XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.

Each of the 8 checked headers is assigned a weight based on its security impact. Fully present and correctly configured headers earn full weight, misconfigured headers earn partial credit, and missing headers earn nothing. The weighted total is converted to a 0–100 score and mapped to a letter grade: A+ (95+), A (80+), B (65+), C (50+), D (35+), F (below 35).

The tool evaluates: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cross-Origin-Opener-Policy (COOP).

Content-Security-Policy (CSP) is the most important security header. It prevents Cross-Site Scripting (XSS) and data injection attacks by specifying exactly which sources are allowed to load scripts, styles, images, and other resources. A strong CSP avoids unsafe-inline and unsafe-eval directives.

HTTP Strict Transport Security (HSTS) forces browsers to connect to your site exclusively over HTTPS for a specified period. This prevents protocol downgrade attacks and cookie hijacking. A max-age of at least 1 year (31536000 seconds) with includeSubDomains is recommended.

X-Frame-Options prevents your website from being embedded inside an iframe on another domain, protecting users from clickjacking attacks. The recommended values are DENY (never allow framing) or SAMEORIGIN (only allow framing from the same origin).

You can check most publicly accessible websites. Some sites may block automated requests or be behind authentication, in which case the check may fail. The tool makes a server-side HEAD request, so client-side restrictions like CORS do not apply.

Permissions-Policy (formerly Feature-Policy) restricts which browser features and APIs your page can use, such as camera, microphone, geolocation, and payment APIs. This limits the potential impact of XSS or third-party script compromises.

Start with the headers marked Critical: add Strict-Transport-Security to enforce HTTPS, then implement Content-Security-Policy. Next address High severity headers (X-Frame-Options, X-Content-Type-Options). Use the example values provided in each header's detail card as a starting point.

Completely safe. The tool only makes a standard HTTP HEAD request (no body is downloaded), similar to what a browser does when checking a link. No changes are made to your server, and the check is entirely read-only.

COOP isolates your browsing context from cross-origin documents opened in popups. Setting it to same-origin prevents Spectre-like side-channel attacks and enables access to certain powerful browser APIs like SharedArrayBuffer.

Run a check after any web server or CDN configuration change, after deploying new infrastructure, and as part of regular security audits. Many teams include security header checks in their CI/CD pipeline to catch regressions automatically.