SysAdmin Tools

A security headers checker inspects the HTTP response headers that a web server sends back when a browser or bot requests a page. These headers are the first layer of web security — they tell browsers how to behave when rendering your site, significantly reducing the risk of cross-site scripting (XSS), clickjacking, MIME-type confusion attacks, and data leakage. Getting them right requires no backend code changes and is often one of the fastest security wins available to any website owner or developer.

When a browser receives an HTTP response, it reads the headers before rendering a single line of HTML. Headers like Content-Security-Policy (CSP) define which external scripts, stylesheets, and fonts are allowed to load. HTTP Strict Transport Security (HSTS) tells browsers to only connect via HTTPS, preventing SSL-stripping attacks. X-Frame-Options prevents your page from being embedded in an iframe on another site, blocking clickjacking. These instructions are invisible to users but critically important for security posture.

Our online security headers tool performs a real HTTP GET request to your URL and analyses the full response header set, checking against the 9 most important security headers defined by OWASP, Mozilla Observatory, and security industry best practices. Each header receives a status — Present, Missing, or Warning — and the overall results are condensed into an A+ through F security grade so you can instantly benchmark your site and track improvement over time.

Whether you are a developer adding security headers for the first time, a sysadmin auditing a production server before a security review, or a DevSecOps engineer building automated header checks into a CI/CD pipeline, this tool provides the clear, actionable output you need. No account, no signup, and no browser extension required.

How to Use the Security Headers Checker

  1. 1

    Enter the URL to audit

    Type or paste the full URL you want to check — for example, https://example.com. Include the protocol (https:// or http://). The tool fetches the page from an external server so results reflect live production headers, not local development configurations.

  2. 2

    Click Scan

    Press the Scan button. The tool sends a real HTTP GET request to your URL, follows any redirects to the final destination, and captures the full response headers from the server. The scan completes in seconds.

  3. 3

    Review your security grade and header results

    Your site receives an overall grade from A+ (excellent) to F (critical issues). Below the grade, each of the 9 checked security headers is listed with its current value (if present), a brief explanation of what it does, and a recommended value if the header is missing or misconfigured.

  4. 4

    Implement the missing headers

    For each missing or warning header, copy the recommended value and add it to your server configuration — Apache .htaccess, Nginx server block, Cloudflare Transform Rules, or your Next.js/Express middleware. After deploying, re-run the scan to confirm the grade improved.

Understanding Security Header Results

The security grade is calculated by dividing the number of present headers by the total 9 headers checked. A+ requires all 9 headers present with strong values, A requires at least 7, B requires 5-6, C requires 4, D requires 2-3, and F means fewer than 2 headers are implemented. The grade is a quick benchmark — what matters most is the specific headers missing on your site. The most impactful headers to implement are Content-Security-Policy (prevents XSS by whitelisting allowed content sources), Strict-Transport-Security (enforces HTTPS permanently, preventing downgrade attacks), and X-Frame-Options or its modern equivalent frame-ancestors CSP directive (prevents clickjacking). These three alone dramatically reduce the attack surface for the most common web exploits. The X-Content-Type-Options: nosniff header is a one-liner that prevents browsers from MIME-sniffing — always add it. Referrer-Policy controls how much information is sent in the Referer header to third parties, which is increasingly important for privacy compliance under GDPR.
FieldDescription
Header NameThe exact HTTP response header name as it should appear in the server response.
StatusPresent (green) — the header is set and accepted; Warning (yellow) — header is present but has a weak or deprecated value; Missing (red) — the header is not set at all.
Current ValueThe exact value the server is currently returning for this header, if it is present.
Recommended ValueA safe starting-point value for headers that are missing or have a weak configuration. Review and tighten for your specific use case.
GradeOverall A+ to F security score based on the percentage of recommended headers that are correctly implemented.

Common Security Headers Use Cases

Pre-launch security audit for a new website

Before going live, run a security headers check to confirm that your server, CDN, and web framework are all returning the correct security headers. Missing headers at launch means real users are exposed immediately — catching them pre-launch costs nothing to fix and prevents embarrassment in public security scans.

Improve score on Mozilla Observatory or SecurityHeaders.com

Industry-standard security scanners like Mozilla Observatory and SecurityHeaders.com grade sites on their header implementation. Use this tool to quickly identify which specific headers are missing, implement them, and re-scan until you achieve an A or A+ rating — increasingly important for enterprise clients and regulated industries.

Prevent XSS attacks with Content-Security-Policy

Cross-site scripting (XSS) is consistently in the OWASP Top 10. A properly configured Content-Security-Policy header is the strongest technical control against XSS because it tells browsers to only execute scripts from approved sources. Use this checker to verify your CSP is present and not set to an overly permissive value like unsafe-inline.

GDPR and privacy compliance review

Referrer-Policy and Permissions-Policy headers directly affect user privacy. Referrer-Policy controls whether full page URLs are sent to third parties in the Referer header. Permissions-Policy restricts browser features like camera, microphone, and geolocation access. Setting these correctly is often required for GDPR compliance and reduces third-party data exposure.

Security Headers — Frequently Asked Questions

What are HTTP security headers?
HTTP security headers are response headers that a web server sends alongside the page content. They instruct browsers how to behave when displaying the page — for example, which scripts are allowed to run, whether the page can be embedded in an iframe, and whether the browser should enforce HTTPS. They are set in server configuration (Apache, Nginx, Cloudflare, etc.) and require no changes to your HTML or JavaScript.
What is Content-Security-Policy and why does it matter?
Content-Security-Policy (CSP) is a header that tells browsers exactly which sources are allowed to load scripts, stylesheets, images, fonts, and other resources on your page. A strict CSP prevents cross-site scripting (XSS) attacks by blocking any script that was not explicitly whitelisted — even if an attacker manages to inject script code into your page, the browser refuses to execute it. CSP is widely regarded as the most impactful security header for application security.
What is HSTS and how do I enable it?
HTTP Strict Transport Security (HSTS) is a header that tells browsers to only connect to your site over HTTPS — never HTTP — for a specified period. Once a browser sees this header, it will automatically upgrade all future requests to HTTPS even if a user types http:// or clicks an unencrypted link. To enable it, add Strict-Transport-Security: max-age=31536000; includeSubDomains to your server response headers. Start with a short max-age (e.g. 86400 seconds) and increase it once you confirm HTTPS works correctly everywhere on your domain.
What does X-Frame-Options do?
X-Frame-Options prevents your website from being embedded inside an <iframe> on another domain. Without this header, attackers can load your page invisibly inside a transparent iframe on a malicious site and trick users into clicking buttons or entering credentials — a technique called clickjacking. Set X-Frame-Options: DENY to block all framing, or SAMEORIGIN to allow framing only from your own domain. Modern browsers also respect the frame-ancestors directive within Content-Security-Policy, which is the preferred approach.
How do I add security headers in Nginx?
In your Nginx server block, add the headers inside the location / block or the main server block. For example: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; After saving, test with nginx -t and reload with nginx -s reload. The always parameter ensures the header is sent even for error responses.
How do I add security headers in Apache?
In your .htaccess file or Apache configuration, use Header always set directives inside a <IfModule mod_headers.c> block. For example: Header always set X-Frame-Options "SAMEORIGIN" and Header always set X-Content-Type-Options "nosniff". Ensure mod_headers is enabled with a2enmod headers and then restart Apache. For shared hosting environments that do not allow Apache configuration changes, check if your hosting panel has a security headers section.
How do I add security headers in Next.js?
In next.config.js (or next.config.ts), add a headers() function that returns an array of header configurations. Each entry specifies a source path pattern and an array of header objects with key and value. This sets headers at the Next.js server layer (or edge middleware) so they apply to all responses including statically generated pages served by Vercel, Netlify, or your Node.js server.
What is Referrer-Policy?
Referrer-Policy controls how much information about the current page URL is sent in the Referer header when a user clicks a link to another site. Without a Referrer-Policy, browsers send the full URL — including paths and query strings — to external sites, potentially leaking user session tokens, internal paths, or personally identifiable information. Recommended value: strict-origin-when-cross-origin, which sends only the origin (not the path) to cross-origin sites and nothing when navigating from HTTPS to HTTP.
What is Permissions-Policy?
Permissions-Policy (formerly Feature-Policy) restricts which browser features and APIs your page can use and which can be used by embedded third-party iframes. You can use it to disable camera, microphone, geolocation, payment APIs, and other sensitive features that your site does not need. For example, Permissions-Policy: camera=(), microphone=() prevents any script — including third-party analytics or ad scripts — from accessing the camera or microphone via your page.

Related Tools

SSL Checker

Verify the TLS certificate before auditing security headers on HTTPS URLs.

Redirect Checker

Confirm the security headers are set on the final redirect destination, not just the source URL.

DNS Lookup

Check DNS records including CAA records that control SSL certificate issuance for your domain.