HTTP Security Headers Checker
Grade any website on HSTS, CSP, X-Frame-Options, and 4 more security headers
HTTP security headers tell browsers how to handle your site's content — preventing XSS attacks, clickjacking, and man-in-the-middle attacks. Missing headers are a sign of a poorly configured or potentially fraudulent website. Check any site's security posture instantly.
What Are HTTP Security Headers?
HTTP security headers are directives sent by a web server in its HTTP response that instruct browsers on how to handle the page content. They are a critical layer of defence against many common web attacks. Legitimate websites implement these headers as standard practice. Their absence — particularly on sites handling personal or financial data — is a security concern.
Key Security Headers Explained
Strict-Transport-Security (HSTS) — Forces all browser connections to use HTTPS, preventing man-in-the-middle attacks that downgrade connections to HTTP. Critical for any site handling sensitive data.
Content-Security-Policy (CSP) — Restricts which scripts, styles, fonts, and other resources can be loaded by the page. The most powerful defence against Cross-Site Scripting (XSS) attacks.
X-Frame-Options — Prevents the page from being embedded in an iframe on another site. Stops clickjacking attacks where a fraudulent page overlays a legitimate one.
X-Content-Type-Options — Prevents browsers from "sniffing" the MIME type of a response, blocking a class of attacks where a script is disguised as a harmless file type.
Referrer-Policy — Controls how much information about the originating page is sent in the Referer header, protecting user privacy and internal URL structures.