Security Headers Checker
About the Security Headers Checker
The Security Headers Checker inspects the HTTP response headers a website returns and grades how well they protect visitors against common web attacks. It looks for headers such as Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy, then reports which are present, which are missing, and whether their values are configured safely. These headers are instructions the server gives the browser about how to handle the page, and they form a frontline defense layer that does not require changing application code.
Each header addresses a specific threat. Content-Security-Policy restricts which scripts, styles, and resources can load, mitigating cross-site scripting; Strict-Transport-Security forces HTTPS and prevents protocol-downgrade attacks; X-Frame-Options and CSP frame-ancestors stop clickjacking by controlling who can embed your page in an iframe; and X-Content-Type-Options stops browsers from MIME-sniffing responses into an unintended content type. The tool surfaces the raw header values so you can audit directives like default-src, the HSTS max-age, and whether includeSubDomains and preload are set.
This is essential for developers hardening a production deployment, security teams running a compliance pass, and site owners preparing for a penetration test or audit. It works well alongside an SSL certificate check when verifying transport security, and a Cookie Analyzer to confirm Secure, HttpOnly, and SameSite flags complement your header policy. Reviewing headers regularly catches regressions introduced by framework upgrades or new reverse-proxy rules.
A practical tip: start Content-Security-Policy in report-only mode so you can observe violations without breaking the site, then tighten it incrementally. Avoid the deprecated X-XSS-Protection header on modern sites, prefer CSP frame-ancestors over the older X-Frame-Options where possible, and set a long HSTS max-age only after you are confident every subdomain is reachable over HTTPS, since preload entries are difficult to reverse.
Frequently asked questions
- Which security headers matter most?
- Content-Security-Policy, Strict-Transport-Security (HSTS), and X-Content-Type-Options deliver the broadest protection. CSP mitigates cross-site scripting, HSTS enforces HTTPS, and nosniff prevents MIME confusion attacks.
- What does Strict-Transport-Security do?
- HSTS tells browsers to only connect to your site over HTTPS for a set max-age, preventing downgrade and cookie-hijacking attacks. Adding includeSubDomains and preload extends and hardens that protection across your whole domain.
- Is X-Frame-Options still needed?
- It still protects older browsers from clickjacking, but the modern equivalent is the Content-Security-Policy frame-ancestors directive, which is more flexible. Setting both is a reasonable belt-and-suspenders approach.
- Why should I start CSP in report-only mode?
- A strict Content-Security-Policy can block legitimate scripts and styles and break the page. Report-only mode logs violations without enforcing them, letting you refine the policy before switching to full enforcement.
Check SSL certificate validity and expiration
Analyze HTTP response headers
Check HSTS configuration and preload status
Test HTTP compression support
Measure website load time
Follow redirect chains